Tag Archives: cia

Start up: sneaking iOS apps, spoofing Spotify, CIA director gets hacked, and more

Posted on by
1


One of these is probably chewing up your battery by playing silent audio (on Android too). But which? Photo by microsiervos on Flickr.

You can now sign up to receive each day’s Start Up post by email. You’ll need to click a confirmation link, so no spam.

A selection of 9 links for you. Like champagne for the mind! Perhaps. I’m charlesarthur on Twitter. Observations and links welcome.

iOS apps caught using private APIs » SourceDNA

Nate Lawson and team:

we noticed that these functions were all part of a common codebase, the Youmi advertising SDK from China.

We then associated the clusters of this SDK’s code with the release dates of the apps that contain them to see how it has evolved over time. The older versions do not call private APIs, so the 142 apps that have them are ok. But almost two years ago, we believe the Youmi developers began experimenting with obfuscating a call to get the frontmost app name.

Once they were able to get this through App Review, they probably became more confident they weren’t being detected and added the above behaviors in order. They also use the same obfuscation to hide calls to retrieve the advertising ID, which is allowable for tracking ad clicks, but they may be using it for other purposes since they went to the trouble to obfuscate this. The latest version of the Youmi SDK (v5.3.0), published a month ago, still gathers all the above information.

Apple has been locking down private APIs, including blocking apps from reading the platform serial number in iOS 8. Youmi worked around this by enumerating peripheral devices, such as the battery system, and sending those serial numbers as a hardware identifier.

Find out now! Just select your developer accounts from a list, and we’ll tell you what we found about your apps. We’ll also show the commercial and open-source code you’re using and alert you to future issues we find.

We found 256 apps (est. total of 1 million downloads) that have one of the versions of Youmi that violates user privacy. Most of the developers are located in China. We believe the developers of these apps aren’t aware of this since the SDK is delivered in binary form, obfuscated, and user info is uploaded to Youmi’s server, not the app’s. We recommend developers stop using this SDK until this code is removed.

Apple’s yanking the apps. Developer? Check it here. It’s always China, isn’t it? But nothing to stop apps from other countries doing the same.
link to this extract

The background data and battery usage of Facebook’s iOS app » MacStories

Federico Viticci:

With iOS 9’s improved energy consumption stats, it’s easier to guess one of the various tricks Facebook may be employing to stay active in the background and drain battery. On my girlfriend’s iPhone, for instance, iOS 9 reports 5 hours of on-screen usage for the last 7 days, and another 11 hours of background audio usage with Background App Refresh turned off.

My guess is that Facebook is hijacking audio sessions on iOS by keeping silent audio in the background whenever a video plays in the app. And because, by default, videos on Facebook auto-play on both Wi-Fi and Cellular and few people ever bother to turn it off, that means there’s a high chance the Facebook app will always find a way to play a video, keep audio in the background, and consume energy to perform background tasks. I’m not alone in noticing the mysterious “Facebook audio” background consumption, and video auto-play seems to me the most likely explanation at this point. I don’t know if turning off auto-play may fix the problem, but I’d recommend doing that anyway to save data.

Un-fricking-believable. The web is suddenly alive with people who have used iOS 9’s better battery monitoring system and discovered that Facebook is eating their battery like nobody’s business.

More discussion here, and a full-on Medium post, which shows Facebook using 3.4hrs in the background with background app refresh turned off.

Just delete it, and use the mobile site – navigate there and create a home page icon for it. And close the tab when done.
link to this extract

Microsoft announces price of 1TB Surface Book — $500 more than the top 13-inch MacBook Pro » GeekWire

James Risley:

The top-of-the-line 1TB Surface Book comes with 16GB RAM and a Core Intel i7 processor for a cool $3,199, $500 more than the fully tricked out 13-inch MacBook Pro, and the same price as the fully enhanced, much larger 15-inch option. The Surface Book does have a few more tricks up its sleeve than the MacBook Pro, including a touchscreen, removable keyboard and a 360-degree hinge, so the price difference isn’t without reason.

The 1TB option joins the lineup that starts at $1,499 for a 128GB Core i5 version. Microsoft isn’t offering many fine-grained customizations for its first laptop, like allowing for more RAM on its 128GB model, but most models look adequately powerful for the everyday user.

“Everyday user”? Wasn’t the point of the Surface Book that it was for some slightly mythical ultra-user? As for the touchscreen and removable keyboard… the case for the touchscreen is still pretty weak for the “everyday user”.
link to this extract

Teen says he hacked CIA director’s AOL account » New York Post

Philip Messing, Jamie Schram and Bruce Golding:

Hillary Rodham Clinton’s email scandal didn’t stop the head of the CIA from using his own personal AOL account to stash work-related documents, according to a high school student who claims to have hacked into them.

CIA Director John Brennan’s private account held sensitive files — including his 47-page application for top-secret security clearance — until he recently learned that it had been infiltrated, the hacker told The Post.

Other emails stored in Brennan’s non-government account contained the Social Security numbers and personal information of more than a dozen top American intelligence officials, as well as a government letter about the use of “harsh interrogation techniques” on terrorism suspects, according to the hacker.

The FBI and other federal agencies are now investigating the hacker, with one source saying criminal charges are possible, law enforcement sources said.

The hacker is getting investigated for criminal charges? Brennan is the one who ought to be prosecuted. If a kid in high school could do this, any Chinese or Russian hacker would have.
link to this extract

Why it’s OK to block ads » Practical Ethics

James Williams:

Think about the websites, apps, or communications platforms you use most. What behavioral metric do you think they’re trying to maximize in their design of your attentional environment? I mean, what do you think is actually on the dashboards in their weekly product design meetings?

Whatever metric you think they’re nudging you toward—how do you know? Wouldn’t you like to know? Why shouldn’t you know? Isn’t there an entire realm of transparency and corporate responsibility going undemanded here?

I’ll give you a hint, though: it’s probably not any of the goals you have for yourself. Your goals are things like “spend more time with the kids,” “learn to play the zither,” “lose twenty pounds by summer,” “finish my degree,” etc. Your time is scarce, and you know it.

Your technologies, on the other hand, are trying to maximize goals like “Time on Site,” “Number of Video Views,” “Number of Pageviews,” and so on. Hence clickbait, hence auto-playing videos, hence avalanches of notifications. Your time is scarce, and your technologies know it.

But these design goals are petty and perverse. They don’t recognize our humanity because they don’t bother to ask about it in the first place.

Neatly argued, by stepping right back from the debate as framed by the ad industry.
link to this extract

I built a botnet that could destroy Spotify with fake listens » Motherboard

William Bedell:

I decided to prototype a robot with an endless appetite for music to see if Spotify could detect what it was doing.

Here is what I coded into life:

Image: William Bedell
First, a remote server used browser automation to sign up for Spotify accounts with randomly generated names, ages, and email addresses. This gave me a limitless supply of accounts to stream songs, so as not to alert Spotify by having a handful of users with inhuman amounts of activity.

A central command server periodically sent out Spotify login credentials to cloud servers (or repurposed personal computers) running dozens of Spotify clients, all masked behind virtual private networks. Each “user” logged in, listened to a few hours of music, then logged out. Their playlists were random selections from various artists I like. Then, I deployed the botnet using a patchwork of free cloud instances and my own hardware.

It was mesmerizing to watch the plays rack up. Unknown albums from minor celebrities I adore suddenly had tens of thousands of hits, where before they had virtually none. With minimal effort, I was generating $32.26 per day in royalties. Inevitably, my thoughts wandered to greed: how profitable would this music royalty factory be if I turned it on music I owned the rights to?

link to this extract

Intel has 1,000 people working on chips for the iPhone » VentureBeat

Mark Sullivan:

Intel now has a thousand people or more working to outfit a 2016 iPhone with its lauded 7360 LTE modem chip, sources say. If all goes well, Intel may end up providing both the modem and the fabrication for a new Apple system on a chip.

Sources close to the matter say Intel is pulling out the stops to supply the modems for at least some of the iPhones Apple manufactures in 2016. This phone will likely be the iPhone 7. VentureBeat was the first to report on the two companies’ work together, and more pieces are falling into place as the project progresses and grows.

Apple may dual-source the LTE modems in its new iPhones from both Intel and Qualcomm. Today, Qualcomm’s 9X45 LTE chip is baked into all iPhone modems.

This story makes one go “hmm..” right up to the point where it talks about dual-sourcing. Then it suddenly makes perfect sense: Apple would look to play the two off against each other, as with CPU supply.
link to this extract

E.U. rule change could be big headache for small businesses » Advertising Age

Kate Kaye:

“I think everybody was hoping [the ECJ] wouldn’t [rule against Safe Harbour], but we were kind of expecting them to rule it this way,” said Acxiom Chief Privacy Officer Jennifer Glasgow. But, she said, “This is not going to disrupt a lot of data flow today or tomorrow or next week.”

The Safe Harbor compact has helped streamline the data flow for more than 4,000 companies including data brokers, ad technology firms and ecommerce companies among others for 15 years. But alarmed by Edward Snowden’s revelations, the E.U. court decided the agreement is not strong enough to protect Europeans’ privacy, including against U.S. spies.

Most large firms handling massive amounts of data such as Google, Facebook and Amazon should already have other legal contracts in place, including previous agreements guiding heavily-regulated health and financial data, that should allow them to continue data transfer as usual. Smaller marketers and data vendors won’t be so lucky, which could have ripple effects throughought the marketing ecosystem.

Correction: the ECJ wasn’t “alarmed” by the revelations; it made a judgement in the light of those revelations about whether EU law could still be applied to data transferred to the US under Safe Harbour.

What’s weird is how people are acting as though this won’t make a difference. If you’re not allowed to transfer data US-owned servers on the basis that it might be rifled through by the US government, how can it not? (Of course, everyone would be howling for safety if these were Chinese-owned servers and companies; witness the US administration’s lockout of China’s Huawei from communications contracts.)
link to this extract

The secrets of a billionaire’s blood-testing startup » The New Yorker

Eric Lach:

Part of the Theranos story is the tension between commerce, science, and secrecy. Ken Auletta explored this tension in the magazine late last year, in his December profile of Holmes. For most of its existence, Auletta wrote, Theranos has “operated with a stealth common to many Silicon Valley startups.” The company has published little data in peer-reviewed journals describing its devices or its test results, and it has kept the workings of its technology a closely guarded secret. Holmes herself prefers speaking about the coming revolution that her company will bring rather than the specifics of the technology itself.

Holmes and the company say this is normal, that Theranos is only trying to protect itself and its trade secrets while it creates something new. The company says that it has taken steps to get its tests approved by the F.D.A. But there are many who say that health-care technology can’t be afforded the same hushed reception as a new model of the iPhone. “Science is peer-reviewed,” Lakshman Ramamurthy, a former F.D.A. official and a vice-president at the consulting company Avalere Health, said, reacting to the Journal article this week.

Of course, Holmes could be a billionaire, or a zeroinaire, depending how things pan out over the next few months.

What the WSJ story also shows (by its impact, and the puzzled followups) is how little understanding there is of biotech among most journalists. Science journalists tend to shy away from it because it involves business, and business journalists aren’t good at figuring out what questions to ask experts about the science.
link to this extract

Start up: how Brin/Page handle email, smartwatch disruption and use, from $500k to zero on Kickstarter, and more

Posted on by
Reply


The Google founders’ approach to triaging email. Photo by M@XONGS on Flickr.

A selection of 8 links for you. May contain the word “smartwatch”. I’m charlesarthur on Twitter. Observations and links welcome.

Use cases for smart watches » Action at a Distance

Richard Gaywood:

I have been using an Android Wear smartwatch for the last three months, exploring different software options and possibilities. What follows is a list of the roles I have found it playing in my life — my use cases, in software engineer jargon. I’m not going to pretend this isn’t a very personal list; perhaps none of these things appeal to you, would be a reason for you to desire a smartwatch. But then again, there are surely more use cases I don’t care about or haven’t found that you do. This is by no means an exhaustive list.

However, note that there are a couple of well-discussed banner features people associate with smartwatches that I’m going to skip over purely because they have already been thoroughly discussed elsewhere: fitness (not only through step counters and heart rate tracking, but also utilities like interval trainers and performance recording like Strava and Runkeeper) and notification triage. What I’m trying to do with this post is point out some less commonly thought of use cases than these.

Good to hear from someone who has actually been using this for longer than a few minutes.

David Shin’s answer to ‘How do Bill Gates, Larry Page, Mark Zuckerberg and Jack Dorsey manage their email?’ » Quora

Shin’s response:

When I worked at Google in 2006/2007, Larry and Sergey held a Q&A session, and this exact question was asked of them. One of them answered (I don’t remember which) with the following humorous response (paraphrased):

“When I open up my email, I start at the top and work my way down, and go as far as I feel like. Anything I don’t get to will never be read. Some people end up amazed that they get an email response from a founder of Google in just 5 minutes. Others simply get what they expected (no reply).”

Seems pretty sensible to me. That’s roughly how I work. Which is why I haven’t responded to your email, and probably never will.

Syncthing

Interesting product which

replaces proprietary sync and cloud services with something open, trustworthy and decentralized. Your data is your data alone and you deserve to choose where it is stored, if it is shared with some third party and how it’s transmitted over the Internet.

Selling points (if you can have that on something that’s free):

• Private. None of your data is ever stored anywhere else than on your computers. There is no central server that might be compromised, legally or illegally.
• Encrypted. All communication is secured using TLS. The encryption used includes perfect forward secrecy to prevent any eavesdropper from ever gaining access to your data.
• Authenticated. Every node is identified by a strong cryptographic certificate. Only nodes you have explicitly allowed can connect to your cluster.

Apple Watch isn’t good enough (that’s great news), and overlooked jobs » Valuing Disruption

Bill Esbenshade looks at Apple’s Watch as a low-end disruptor:

A lot of people are looking at the Watch and saying “it’s not good enough” because of a range of issues related to functionality/reliability: battery life too short, watch too thick or clunky looking, too tethered to the iPhone, not enough health sensors, etc.

The irony is that these shortcomings should be good news for the Watch’s future. That’s because under disruption theory, when a product isn’t good enough on a range of performance dimensions, then the vendor has lots of things to improve — through new product versions — before the product starts overserving. See Concepts page and discussion of Clayton Christensen. This means there’s lots of room for Apple — as an integrated manufacturer — to making sustaining leaps ahead of more modular smartwatch competitors relying on Android. See post titled Apple’s Long Term Advantages. Apple has plenty of room to improve the user experience and move up the improvement trajectory without overserving.

(Esbenshade owns Apple stock.) My own query is – shouldn’t this sort of disruption be coming in from the high end or the low end? The Watch seems to approach from somewhere around the middle.

No, the CIA isn’t stealing Apple’s secrets » Errata Security

Robert Graham on The Intercept’s story on the matter:

The Intercept doesn’t quote people who actually know what they are talking about. As I repeat over and over, for every Snowden document, there’s some expert who has presented on that topic at BlackHat, DefCon, or similar hacking/cybersec conference. There’s no excuse for writing a story on these topics and quoting only activists like Soghoian rather than technical experts from these conferences. For example, a quick search of “BlackHat reverse engineering chips” quickly lead to this presentation.

I point this out because another subject of that Intercept article was about trojaning XCode, the Apple development tool used to compile iOS apps. A quick search would have come up with a BlackHat presentation by Errata Security’s own David Maynor where he trojaned Microsoft’s compiler, GCC, and a lesser known compiler called LCC. There’s no excuse for writing this story without reaching out to Maynor, or even Ken Thompson, the co-creator of C/Unix who inspired compiler-trojaning.

Again with compilers, there’s context that is carefully hidden by the Intercept story.

Complex topic, though, which has got everyone looking over their shoulders, and quizzically at their compiler errors, saying “But is it a REAL error, or..?”

How a half-million dollar Kickstarter project can crash and burn » Medium

Haje Jan Kamps has the scars to prove it:

the legal costs were only step one of the battle. The electronics and software design for Triggertrap Ada ended up costing vastly more than we had originally budgeted, in part because it turned out that we couldn’t use the microprocessor we wanted to (the electronics agency claimed that the original microprocessor didn’t have enough memory), and had to do several more design iterations than we had anticipated. Compared to our original project budget, we spent 9.4x more on this phase than we planned to.

In part because of the additional design iterations, we ended up having to spend two and a half times what we had budgeted on our prototyping costs — high-quality 3D printing and subsequent hand-finishing of prototype plastics is hideously expensive — and our industrial and plastics design went significantly over budget.

(Via Matt Baxter-Reynolds.)

Quick take on disruptive potential of smartwatches » Naofumi Kagami

Kagami is a student of disruption theory and practice, and has an interesting take: that it’s the existing watch brands that will thrive in the newly created smartwatch space:

Without going into detail, this is what I expect the smartwatch landscape to look like after the dust has settled;

• Apple will be the undisputed number 1. They will aggressively innovate on the Apple Watch, even to the extent that it cannibalises the iPhone. The Apple Watch will gradually become more and more independent of the iPhone.

• The current Android smartphone OEMs will initially play in the smartwatch market, but they will fail to make profits due to their lack of brand power. Eventually most will retreat from the smartwatch market and focus on making big and powerful smartphones. The few that remain will only get the scraps from the very low-end of the market. The exception might be Samsung. If their Tizen operating system enables them to innovate faster than Android Wear, there is the possibility that Samsung will be able to profit from smartwatches (due to the lock-in they get).

• Current watchmakers will be the major Android Wear players in the smartwatch space, especially in profits. The electronics will be provided by the Shenzhen ecosystem or a chipset provider (maybe Intel). Depending on how well Google can monetise from Android Wear, we might see some rapid innovation.

But read all of it for what that then implies for those smartphone OEMs…

Microsoft has its ‘groove back,’ say some CIOs » WSJ

Clint Boulton:

Michael Sajor, CIO of Apollo Education Group, stopped meeting with Microsoft sales executives a few years ago because they tried to sell him software without bothering to learn about it would help him run his business. “They were, all-around, just a pretty ugly company to deal with,” Mr. Sajor said.

But Mr. Sajor said the company is showing “signs of life” improving its focus under Mr. Nadella. Now Microsoft representatives ask how they can better support the 250,000 University of Phoenix students for whom Mr. Sajor provides technology. Two months ago, Apollo converted from the on-premises Office software to Microsoft’s Office 365 productivity software, which includes the version of Office for iPad. He said the company still has some work to do to solidify customers’ trust in the company, but he’s optimistic in his experience with the company under Mr. Nadella. “If they stay on track, they’ll win our hearts and minds like other companies have done by becoming real partners,” Mr. Sajor said.

Mobile-first, cloud-first. Nadella is a smart strategist.