Pixel Envy

Written by Nick Heer.

Archive for August, 2016

Google Rumoured to Be Dropping ‘Nexus’ Brand With New, More Proprietary Phones

Andrew Martonik, writing at Android Central:

This year’s Google-branded Android phones will not use the “Nexus” name, Android Central understands, indicating a hard break from the past six years of flagship devices for the company. The widely expected HTC-built handsets — referred to as “Nexus” phones in recent online leaks — will instead come to market under a different brand name, according to several people familiar with Google’s plans.

[…]

AC understands that this year’s Google phones will feature additional software and a tweaked interface atop “vanilla” Android. This will notably differentiate the new models in terms of software experience from previous years’ Nexus phones, which featured a relatively barebones Android experience — and this goes hand-in-hand with the decision to not use the “Nexus” name for the phones. And as we look back at the progression of Nexus phones, this was inevitable — Google has kept adding closed-source apps, services and features to the Nexus line, moving away from the initial idea of what “Nexus” really meant starting as early as the Nexus S 4G.

There’s Android, the open source operating system project that Google maintains. Then there’s Android, the Google-built operating system with a bunch of closed-source Google apps and features, and to use it, one must sign a licensing agreement with Google. The latter has been what we think of as “Android” for a long time, and its dominance is growing; I wonder how long the open source project will last.

Washio’s Legacy

Yesterday, Washio — the laundry-on-demand startup operating in major American cities — issued an abrupt announcement that it was shutting down.

Andray Domise wrote a tweetstorm worth reading on it, which I’ve dropped into a Storify with some related items:

To recap, wash.io drives up the price of laundry, pushes laundromats out of business, makes cleaning clothes difficult for poor people [… and] then crashes and burns anyway. Leaving bankrupt businesses behind, and entire neighbourhoods where you can’t even wash your damn clothes.

We don’t talk enough about the chasm left when an unprofitable on-demand startup shuts down after “disrupting” the local economy. For instance, it concerns me deeply that Uber lost $1.2 billion in the first half of this year — a rate of cash hemorrhaging that no traditional taxi company could sustain. It sounds silly to imagine a well-funded startup like Uber going bankrupt, but what if they did? It’s happened to other big, high-valued companies over the years.

Joe Sutter, Dead at 95

The 1960s was the decade that birthed every single one of my favourite aircraft: the Concorde, the SR-71, and — of course — the 747. After many years of travel, I finally got to experience a flight aboard a 747 last year, from Taipei to Vancouver. What an incomparable aircraft, and an amazing legacy left by Sutter.

Final Nestination

Dan Primack and Leena Rao, Fortune:

Nest’s entire platform team will become part of Google, which also resides under the Alphabet umbrella, in order to create a unified Internet of things platform. It will be led by longtime Google executive Hiroshi Lockheimer, who currently serves as senior vice president of Android and who recently assumed more responsibility for “living room” products. The combined group also will continue to work on Google Home, a smart speaker rival to the Amazon Echo, while simultaneously fending off Amazon challenges elsewhere in the smart home.

Nest and Google are likely to pitch this as an obvious synergy, but it also plays into ongoing efforts to pare costs at smaller Alphabet units other than Google. By moving Nest software developers over to Google payroll, Nest’s financial situation would improve dramatically (so long as new Nest-branded products continue to be developed).

The rumour so far is that this is basically a backend restructuring. Instead of Nest being a separate entity under the Alphabet holding company, it will become a part of Google (again), which is vastly more profitable and will therefore be able to absorb the impact of fluctuating Nest performance.

Don’t be fooled, though: I’m certain that the end-game for this is to have a single brand for Google’s internet-of-things efforts. Whether that will be Google Home or Nest, I’m not sure, but there’s no reason for them to have both.

Couple of additional questions: first, if Lockheimer is becoming the leader of Google’s “living room” initiatives, what’s Rick Osterloh doing in that department now?

Second, with this restructuring to cushion some of Nest’s performance issues and the rumoured troubles at other Alphabet initiatives like Google X and Google Fiber, doesn’t that rather undermine the whole point of the Alphabet restructuring?

68 Million Dropbox Users’ Account Details Were Stolen in 2012

On Thursday night, I was among many longtime Dropbox users who received an email stating that passwords that hadn’t been changed since mid-2012 would be reset. When I asked around, I was told that this was just precautionary, as it said in the email.

While there were account details that were obtained and released in 2012, Dropbox said that these were logins reused from other sites breached at the same time.

Today, Joseph Cox of Vice explains that the breach was much worse than previously reported:

Motherboard obtained a selection of files containing email addresses and hashed passwords for the Dropbox users through sources in the database trading community. In all, the four files total in at around 5GB, and contain details on 68,680,741 accounts. The data is legitimate, according to a senior Dropbox employee who was not authorized to speak on the record.

This is pretty awful, and Dropbox didn’t help matters by being less than forthcoming. However, it was very effective for them to reset passwords on affected accounts — the database isn’t being sold on dark markets because it’s effectively worthless now — and the passwords were hashed with a very secure method.

Thanks to Allen Tan.

Update: Samuel Gibbs, the Guardian:

The original breach appears to be the result of the reuse of a password a Dropbox employee had previously used on LinkedIn, the professional social network that suffered a breach that revealed the password and allowed the hackers to enter Dropbox’s corporate network. From there they gained access to the user database with passwords that were encrypted and “salted” – the latter a practice of adding a random string of characters during encryption to make it even harder to decrypt.

Spectacular.

An Interview With a Former Facebook Trending Stories Curator

DigiDay’s Tanya Dua interviewed an anonymous former curator for Facebook’s now-automated Trending Stories feature. It’s a good interview that touches on the Gizmodo story from May that claimed a liberal bias from editors, but I thought this answer to a question about editorial integrity was most enlightening:

You would essentially have to have them be a completely independent team, where they had full control over the editorial process and didn’t have to answer to anybody at Facebook. It would have to function like a newsroom. Had that gap existed between editorial and the rest of the company, it would have been a more legitimate product. We never felt the support of Facebook behind the product. It was just a little tab, you couldn’t go anywhere, like facebook.com/trending, where you could read all these topics in a feed.

Facebook’s encroachment into the news reading habits of many of its users is concerning if they lack a separation of their editorial and business components, especially if their news features are supposed to be part of the business side of the company.

John Herrman, writes for the New York Times Magazine:

The Facebook product, to users in 2016, is familiar yet subtly expansive. Its algorithms have their pick of text, photos and video produced and posted by established media organizations large and small, local and national, openly partisan or nominally unbiased. But there’s also a new and distinctive sort of operation that has become hard to miss: political news and advocacy pages made specifically for Facebook, uniquely positioned and cleverly engineered to reach audiences exclusively in the context of the news feed. These are news sources that essentially do not exist outside of Facebook, and you’ve probably never heard of them. They have names like Occupy Democrats; The Angry Patriot; US Chronicle; Addicting Info; RightAlerts; Being Liberal; Opposing Views; Fed-Up Americans; American News; and hundreds more. Some of these pages have millions of followers; many have hundreds of thousands.

Using a tool called CrowdTangle, which tracks engagement for Facebook pages across the network, you can see which pages are most shared, liked and commented on, and which pages dominate the conversation around election topics. Using this data, I was able to speak to a wide array of the activists and entrepreneurs, advocates and opportunists, reporters and hobbyists who together make up 2016’s most disruptive, and least understood, force in media.

The Trending Stories feature is, ostensibly, distinct from the News Feed feature. But both are now algorithmically driven, and something that trends on Facebook’s News Feed will likely make it to the Trending Stories feature. If there is little editorial oversight, these features become less meaningful, less helpful, and more inflammatory.

A free press is vital in a democracy, yes, but that is with the assumption that the press publishes valid, true, and well-explained articles on subjects of importance. Facebook seems to think that editorial policy is either unimportant, or a job that can be done by a robot. I very much doubt that.

E.U. Tightens Net Neutrality Guidelines

Amar Toor, the Verge:

The net neutrality rules adopted by the European Parliament last year aimed to strengthen net neutrality by requiring internet service providers (ISPs) to treat all web traffic equally, without favoring some services over others. But the regulations contained several loopholes that raised concerns among net neutrality advocates, including a provision that would have allowed ISPs to create “fast lanes” for “specialized services,” and another that would have allowed for zero-rating, under which certain services and apps would be exempt from counting against monthly data limits. A “traffic management” provision would have allowed telecoms to prioritize internet traffic from some services over others.

Certain kinds of internet connection, such as remote surgery, are allowed to be prioritized, but most traffic must be treated identically — or, at least, comparably to similar kinds of traffic. Any restrictions that an ISP might place on, for instance, one video streaming service must apply equally to traffic from other video streaming services. This legislation makes complete sense to me; I hope it’s successful for consumers across Europe, so that similar legislation may be adopted elsewhere.

Apple Ordered to Pay €13 Billion in Back Taxes

From the E.U. Commission’s press release:

Following an in-depth state aid investigation launched in June 2014, the European Commission has concluded that two tax rulings issued by Ireland to Apple have substantially and artificially lowered the tax paid by Apple in Ireland since 1991. The rulings endorsed a way to establish the taxable profits for two Irish incorporated companies of the Apple group (Apple Sales International and Apple Operations Europe), which did not correspond to economic reality: almost all sales profits recorded by the two companies were internally attributed to a “head office”. The Commission’s assessment showed that these “head offices” existed only on paper and could not have generated such profits. These profits allocated to the “head offices” were not subject to tax in any country under specific provisions of the Irish tax law, which are no longer in force. As a result of the allocation method endorsed in the tax rulings, Apple only paid an effective corporate tax rate that declined from 1% in 2003 to 0.005% in 2014 on the profits of Apple Sales International.

E.U. Commissioner Margarethe Vestager:

Our decision concludes that splitting the profits did not have any factual or economic justification. As mentioned, the “head office” had no employees, no premises and no real activities. Only the Irish branch of Apple Sales International had any resources and facilities to sell Apple products.

But under the tax rulings it was the “head office” that was attributed almost all of the company’s profits – in fact, due to Apple’s set-up, it was attributed almost all of the profits Apple made from selling products throughout Europe, the Middle East, Africa and India.

David Gilbert, writing for Vice, elaborates:

However, Vestager added that while the headline figure of €13 billion was the maximum the Irish government could to reclaim, other countries in Europe which felt as if they had lost out on taxes due to all profits being funnelled through Ireland, could now seek to recoup those lost taxes.

[…]

Both Apple and the Irish government have come out to strongly oppose the ruling and said they will be appealing the decision. The Irish government said it “disagrees profoundly with the Commission’s analysis. Ireland did not give favourable tax treatment to Apple.”

In a letter published on Apple’s website, Tim Cook expressed the company’s disagreement with the ruling:

Over the years, we received guidance from Irish tax authorities on how to comply correctly with Irish tax law — the same kind of guidance available to any company doing business there. In Ireland and in every country where we operate, Apple follows the law and we pay all the taxes we owe.

This is a little disingenuous — nobody is disputing that Apple paid all the taxes they owe, but rather that the amount that they owe is disproportionately lower than it ought to be for a company of their size and income.

Apple is far from the only major company using crafty accounting techniques to shuffle money around the world to avoid tax on it. Before Ireland adjusted their tax code in 2015 to remove the so-called “Double Irish” scheme, Google, Facebook, and many other large companies made use of the country’s policies to dramatically reduce the tax they paid outside of the United States. Earlier this year, Google was accused of using a similar scheme to Apple’s in the U.K., which they ended up settling for far less than the expected amount.

For some context, the €13 billion that the E.U. has settled on for Apple’s back taxes is about twice their profits from their most recent quarter, but only a fraction of the over-$200 billion they hold in cash overseas.

Refreshed Macs Rumoured to Launch Later This Year

Mark Gurman and Jungah Lee, Bloomberg:

Upcoming software upgrades for the iPad include wider operating-system support for Apple’s stylus accessory, while hardware performance improvements are also in development, according to the people. The refreshed Mac hardware line includes new versions of the iMac desktop, MacBook Air laptop, and a 5K standalone monitor in collaboration with LG Electronics Inc., in addition to a thinner MacBook Pro laptop.

The company hopes to ship the updated iPad software next year, while the Macs are expected as soon as late 2016, said the people, who asked not to be identified discussing unannounced products. Apple has not updated any Macs, besides the 12-inch MacBook, since last year.

That “late 2016” part is such a tease. I doubt that we’ll see Macs at next week’s media event, and I’d bet against a dedicated October event for new Macs. My money is on small-scale one-on-one press briefings.

Federico Viticci also heard in June that more iPad features were coming in a later iOS 10 update. No word on any major Springboard or multitasking changes, however.

Facebook’s Trending Stories Versus Clickbait

Joseph Lichterman, Nieman Lab:

Facebook — and its algorithm — are extremely powerful and exert huge amounts of control over what type of news coverage a significant number of its users see. So what does it mean when it’s promoting blatantly false news and clickbait aggregation? How can legitimate news outlets operate in this environment when they are becoming increasingly reliant on Facebook? Do users even care that they’re being fed stories from sites of ill repute?

It was just a few weeks ago that Facebook tweaked their News Feed algorithm to reduce clickbait; just a few weeks prior to that, they also made an adjustment to show more stories from friends and fewer from publishers. Now, there’s fake news and clickbait appearing algorithmically in Trending Stories. Despite the two features sitting side-by-side, it almost feels like they’re not even built by the same company.

Facebook Trending Stories Are Now Guided Programmatically, Obviously

Robinson Meyer of the Atlantic:

Facebook’s decision to simplify [Trending Stories] seemed like an attempt to wriggle out of editorial responsibility: What had been a messy human-led process would now become an algorithm-guided one. The company also laid off the 26 employees who had run the feature — 19 curators and seven copyeditors — with little warning on Friday, according to Quartz.

[…]

From Sunday evening to early Monday morning, Facebook allowed the topic “Megyn Kelly” to trend. Driving the trend was an article claiming that Kelly had been fired by Fox News for supporting Hillary Clinton. The story, hosted by endingthefed.com, was completely inaccurate: Kelly has not endorsed Clinton, and she has not been fired by Fox. Yet with the assistance of Facebook’s algorithmic editors, it garnered 200,000 likes.

Golly. Who could have predicted that?

Spotify Is Allegedly ‘Burying’ Musicians That Also Have Exclusives on Competing Platforms

Lucas Shaw and Adam Satariano, Bloomberg:

Spotify has been retaliating against musicians who introduce new material exclusively on rival Apple Music by making their songs harder to find, according to people familiar with the strategy. Artists who have given Apple exclusive access to new music have been told they won’t be able to get their tracks on featured playlists once the songs become available on Spotify, said the people, who declined to be identified discussing the steps. Those artists have also found their songs buried in the search rankings of Spotify, the world’s largest music-streaming service, the people said. Spotify said it doesn’t alter search rankings.

Spotify has been using such practices for about a year, one of the people said, though others said the efforts have escalated over the past few months. Artists who have given exclusives to Tidal, the streaming service run by Jay Z, have also been retaliated against, the person said, declining to identify specific musicians.

For what it’s worth, Spotify is denying Bloomberg’s report.

Twitter Rumoured to Be Working on Keyword Filtering to Combat Harassment

Sarah Frier, Bloomberg:

Twitter Inc. is working on a keyword-based tool that will let people filter the posts they see, giving users a more effective way to block out harassing and offensive tweets, according to people familiar with the matter.

The San Francisco-based company has been discussing how to implement the tool for about a year as it seeks to stem abuse on the site, said the people, who asked not to be identified because the initiative isn’t public. By using keywords, users could block swear words or racial slurs, for example, to screen out offenders.

For comparison, it took Twitter less than two weeks to identify a GIF from the Olympics posted by a sports journalist, and it took under three minutes for it to escalate from a removal demand to a permanent suspension, which was later reversed.

Twitter has known about harassment on its platform for years. It has only recently taken steps to combat it with the smallest of steps.

Keystroke Recognition via WiFi

Kamran Ali, et al.:

In this paper, we propose a WiFi signal based keystroke recognition system called WiKey. WiKey consists of two Commercial Off-The-Shelf (COTS) WiFi devices, a sender (such as a router) and a receiver (such as a laptop). The sender continuously emits signals and the receiver continuously receives signals. When a human subject types on a keyboard, WiKey recognizes the typed keys based on how the CSI values at the WiFi signal receiver end. We implemented the WiKey system using a TP-Link TL-WR1043ND WiFi router and a Lenovo X200 laptop. WiKey achieves more than 97.5% detection rate for detecting the keystroke and 96.4% recognition accuracy for classifying single keys. In real-world experiments, WiKey can recognize keystrokes in a continuously typed sentence with an accuracy of 93.5%.

From the paper (PDF):

In this paper, we have shown that fine grained activity recognition is possible by using COTS WiFi devices. Thus, the techniques proposed in this paper can be used for several HCI applications. Examples include zoom-in, zoom-out, scrolling, sliding, and rotating gestures for operating personal computers, gesture recognition for gaming consoles, in-home gesture recognition for operating various household devices, and applications such as writing and drawing in the air.

The paper does say that the initial research was done in a very controlled environment; the amount of noise created by someone walking between the WiFi sender and receiver, for example, could cause a drop in accuracy and reliability. Utterly fascinating, nevertheless.

Dropbox Is Resetting Passwords That Haven’t Been Changed Since Mid-2012

I received an email from Dropbox this evening; you likely did as well:

We’re reaching out to let you know that if you haven’t updated your Dropbox password since mid-2012, you’ll be prompted to update it the next time you sign in. This is purely a preventative measure, and we’re sorry for the inconvenience.

If that sounds strangely suspicious to you, you’re not alone. But I asked around and it seems that it really is just preventative, though it is related to other mid-2012 security breaches that you may have heard of.

Matthew Lynley, TechCrunch:

Dropbox’s intelligence team identified the existence of a file that contained hashed and salted passwords, according to a person familiar with the matter. That file pertains to passwords that were likely obtained in connection to the LinkedIn hack. While the information appears to have been taken from then and quietly held for some time, it is now surfacing, this person said. Dropbox earlier disclosed that usernames and passwords that were obtained in 2012 were used to access some accounts.

While you’re at it, you might as well turn on two-factor authentication too.

Shorting Lives

Christina Warren, now writing at Gizmodo:

After finding serious security vulnerabilities in St. Jude Medical’s pacemakers and defibrillators, cybersecurity and research company MedSec decided to take that information to a short-seller (Carson Block of the investment firm Muddy Waters) which then bet against the company in the stock market. This was instead of disclosing the vulnerability, in theory something that could endanger lives, to the manufacturer St. Jude.

Sometimes I wish I had a podcast or a television show instead of words on a page, so I could play a supercut of people saying “that’s fucked up” right now.

MedSec CEO Justine Bone:

In order to help address patient safety, we have chosen to depart from standard cyber security operating procedures in order to bring this to the public’s attention and to ensure that St Jude Medical responds appropriately and with urgency. We have shared our research with an investment firm, Muddy Waters Capital, that is helping us deliver this message.

What a load of horse shit. While MedSec is right that electronic medical devices need vastly better security, there are loads of legitimate paths that they could have taken to ensure that St. Jude was required to fix their devices. As MedSec is only now going to the FDA, their decision to put profits over responsible disclosure is scarcely better than selling the vulnerability to the highest bidder.

The Trident Exploit

There’s is one hell of a scary set of exploits that are capable of targeting deep capabilities within iOS devices. Before you read any further, be sure to update to iOS 9.3.5 if you haven’t already.

Bill Marczak and John Scott-Railton of the Citizen Lab:

Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates (UAE), and recipient of the Martin Ennals Award (sometimes referred to as a “Nobel Prize for human rights”). On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government-exclusive “lawful intercept” spyware product. NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management.

The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware. We are calling this exploit chain Trident. Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.

Lorenzo Franceschi-Bicchierai of Vice interviewed the researchers who disclosed this series of vulnerabilities:

“We realized that we were looking at something that no one had ever seen in the wild before. Literally a click on a link to jailbreak an iPhone in one step,” [Lookout VP Mike Murray] told Motherboard. “One of the most sophisticated pieces of cyberespionage software we’ve ever seen.”

The people targeted by this spyware are largely activists and journalists for civil rights in Mexico and the United Arab Emirates, as well as users in Kenya. The spyware users are suspected to be government officials or intelligence agencies.

According to leaked NSO slides, this exploit is able to steal information from text messages, documents, photos, and lots more. As iOS 9 encrypts individual files and the system as a whole, I’d be interested to know how it’s able to access this data in a (presumably) usable-by-others manner. The researchers say it’s able to get FaceTime calls; what about iMessages?

Once the dust settles on this, I hope a report is published with the full scope of Trident’s abilities and the precise ways in which it exploits the JavaScriptCore engine.

Spotify Renegotiating Licensing Contracts

Hannah Karp, Wall Street Journal:

Spotify is now operating on short-term extensions of its old contracts with all three major record companies, having been on a month-to-month basis with at least one of the labels for nearly a year. It is negotiating new deals that would make its finances more attractive to investors.

Spotify, which saw its net loss increase to roughly $200 million last year even as revenue doubled to more than $2 billion, wants to pay a smaller share than the nearly 55% of its revenue that it currently pays to record labels and artists, according to people familiar with the matter.

Anyone blaming exclusives for the current state of the streaming industry has it all backwards. The current state of the music streaming industry is what has beget exclusives on better-paying platforms.

Exclusives

Former Apple Music “samurai” — according to his LinkedIn profile — Sean Glass:

Contrary to what you read, there’s no scary Apple board room conspiracy where corporate is plotting to take over creativity via artist exclusives. There’s one guy who is behind ALL of these campaigns — and he is light years ahead of everyone else. He works intimately with each artist as a creative peer, and develops an amazing plan, this is no simple land grab. He works closer with the artists than labels do.

He’s building a club, or a “community” as we like to say. Everyone is invited, at a very low cost. If you’re in, you are not complaining about exclusives. Those complaining about exclusives are not participating which means refusing to pay $10 a month for music, so why are we letting them get airtime?

When Apple says that they care about music, it’s not an empty platitude or a throwback to the iPod. They mean it, despite occasional frustrations that seem to suggest the contrary.

Google Search Will Penalize Mobile Sites With Interstitial Ads

Jack Marshall, Wall Street Journal:

In a post published Tuesday on the Google Webmasters blog, Google product manager Doantam Phan wrote, “Pages that show intrusive interstitials provide a poorer experience to users than other pages where content is immediately accessible. This can be problematic on mobile devices where screens are often smaller.”

As a result, pages where content is not easily accessible to a user on the transition from mobile search results may not rank as highly in Google’s search results after Jan. 10, 2017, the post said. This could result in less traffic to those pages and sites.

Examples of interstitials that make content less accessible include pop-ups that “cover the main content [of a page], either immediately after the user navigates to a page from the search results, or while they are looking through the page,” Mr. Phan wrote.

Marshall and Phan are right — interstitial covers can be really irritating on mobile browsers. But why stop there? They provide a crappy desktop experience as well. Why not apply the same algorithmic demotion to all sites that practice this user-unfriendly technique?

Coincidentally, I added api.bounceexchange.com to my JavaScript Blacklist today. Bounce Exchange is a company that specializes in this sort of thing, and it drives me crazy.