Month: July 2019

Foxconn Says It Will Create 1,500 Jobs in Wisconsin, 11,500 Fewer than Promised theverge.com

This project is right on track for Foxconn. The company has also not elaborated upon their denial of having a bunch of empty buildings, despite reporting and photography from the Verge in April confirming that these buildings are, truly and actually, empty.

Update: A Foxconn rep finally replied to Nilay Patel in one of the most bizarre press releases I’ve ever seen. They write “leave us alone” three times in the email — twice in uppercase letters — and quoted a bunch of nonsense from the end of the project’s concept video. I can’t decide what my favourite bit of this is. It might well be the caption “smart safety and security through 8K technology” paired with a pseudo-Face ID icon. I’m not entirely certain how displays with very high pixel counts are supposed to improve facial recognition, or whatever, but I guess if you throw enough buzzwords at someone, they’ll respond by giving you billions of dollars in tax incentives.

Unsuccessful Moderation at YouTube’s Scale newyorker.com

Neima Jahromi, the New Yorker:

Schaffer told me that hate speech had been a problem on YouTube since its earliest days. Dealing with it used to be fairly straightforward. YouTube was founded, in 2005, by Chad Hurley, Steve Chen, and Jawed Karim, who met while working at PayPal. At first, the site was moderated largely by its co-founders; in 2006, they hired a single, part-time moderator. The company removed videos often, rarely encountering pushback. In the intervening thirteen years, a lot has changed. “YouTube has the scale of the entire Internet,” Sundar Pichai, the C.E.O. of Google, which owns YouTube, told Axios last month. The site now attracts a monthly audience of two billion people and employs thousands of moderators. Every minute, its users upload five hundred hours of new video. The technical, social, and political challenges of moderating such a system are profound. They raise fundamental questions not just about YouTube’s business but about what social-media platforms have become and what they should be.

YouTube’s monopoly position means that their moderation decisions can be a massive if controversial force for good, but they will also have a high likelihood of flagging non-offending videos. Like I’ve been saying about Facebook and its inept moderation, this is a direct result of the platform’s scale.

As it is, YouTube is taking little meaningful action while still recommending videos that will keep users watching as they crawl further into a narrowing tunnel of viewpoints, thereby radicalizing users while simultaneously claiming that they are neutral.

The broad failure of U.S. authorities to take seriously the antitrust threat of tech companies remains among the biggest policy mistakes of the last twenty years.

WannaCry, Two Years Later techcrunch.com

Zack Whittaker, TechCrunch:

Marcus Hutchins and Jamie Hankins, who were working from their homes in the U.K. for Los Angeles-based cybersecurity company Kryptos Logic, had just stopped a global cyberattack dead in its tracks. Hours earlier, WannaCry ransomware began to spread like wildfire, encrypting systems and crippling businesses and transport hubs across Europe. It was the first time in a decade a computer worm began attacking computers on a massive scale. The U.K.’s National Health Service (NHS) was one of the biggest organizations hit, forcing doctors to turn patients away and emergency rooms to close.

Hours after the disruption began to break on broadcast news networks, Hutchins — who at the time was only known by his online handle @MalwareTech — became an “accidental hero” for inadvertently stopping the cyberattack by registering a web domain found in the malware’s code.

The internet, still reeling from the damage, had gotten off lightly. The two researchers, at the time both in their early 20s, had saved the internet from a powerful nation-state attack launched by an enemy using hacking tools developed by the West.

But the attack was far from over.

Hutchins and Hankins knew if the kill switch went down, the malware would pick up where it left off, infecting thousands of computers every minute. Puffy eyed and sleep deprived, they knew the domain had to stay up at all costs. The researchers fended off several attacks from an angry operator of a botnet trying to knock the domain offline with junk internet traffic. And, at one point, law enforcement seized two of their servers from a datacenter in France amid confusion that the domain was helping to spread WannaCry and not preventing it.

Whittaker reports that the “kill switch” domain prevented around sixty million deployments of the WannaCry malware in the last month alone — a staggering figure for a two year old piece of malware. It’s surely spreading daily, but remaining dormant solely because this single domain is being kept up. It’s digital HPV.

MacBook Apparently Discontinued, MacBook Pro Gains Touch Bar on All Models apple.com

Apple:

Apple today updated MacBook Air, adding True Tone to its Retina display for a more natural viewing experience, and lowering the price to $1,099, with an even lower price of $999 for college students. In addition, the entry-level $1,299 13-inch MacBook Pro has been updated with the latest 8th-generation quad-core processors, making it two times more powerful than before. It also now features Touch Bar and Touch ID, a True Tone Retina display and the Apple T2 Security Chip, and is available for $1,199 for college students.

This simplifies the lineup dramatically. No longer are there three similar yet purportedly different computers within $200 of each other; now, there’s a simple choice of consumer models and professional models, and at respectably lower price points to boot.

What goes unmentioned in this press release, however, is that Apple has seemingly discontinued the MacBook. Visiting apple.com/macbook redirects to the Mac section, where the model does not appear in the navigation bar at the top. It was last updated two years ago. Despite that, it was easily one of my favourite Mac models — a light, simple, fan-less portable Mac sounds ideal for travelling — so I’m a bit saddened to see it go, even though it conceptually overlaps the MacBook Air considerably. I have to wonder whether the name will be recycled for use in that future ARM-powered Mac.1

Also starting today, Apple no longer sells the legacy non-Retina MacBook Air. They’ve nearly achieved an entirely Retina lineup, with just a single non-Retina iMac model remaining.

Update: As noticed by Mitchel Broussard at MacRumors, Apple has dropped SSD prices pretty much across the board. Also, Jordan Kahn of 9to5Mac obtained an internal memo stating that today’s new MacBook Air and Pro models will be eligible for free keyboard repairs. Just terrific news all around, as far as I can tell, apart from the keyboards themselves.

  1. For what it’s worth, the redirect from apple.com/macbook to apple.com/mac returns the permanently moved status code, meaning that this redirect will be cached in users’ browsers and would be harder to revert. ↥︎

Zoom Teleconferencing Software Has a Vulnerability That Allows an Attacker to View a User’s Webcam medium.com

Jonathan Leitschuh discovered the vulnerability:

This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.

On top of this, this vulnerability would have allowed any webpage to DOS (Denial of Service) a Mac by repeatedly joining a user to an invalid call.

Additionally, if you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily re-install the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage. This re-install ‘feature’ continues to work to this day.

This is shockingly easy to exploit and, thankfully, fairly easy to protect against as a user.

However, I’d recommend removing Zoom entirely if you do not rely upon it. The company’s blasé attitude towards Leitschuh’s report of this bug would make me reluctant to trust them with my camera and microphone in the future.

Tim Wu Explains Why He Thinks Facebook Should Be Broken Up wired.com

I thought this was a well-articulated perspective on the dangers of unchecked industry domination, and a firm rebuttal of Facebook’s familiar talking points.

I’ve been saying for a while now that I think Facebook’s inability to keep obviously objectionable materials off its platform — whether through traumatizing human moderators or relying upon automated filters — is a symptom of a broader design flaw. The sheer scale of the company’s products exacerbates this, too. I’m not saying that a company with a few hundred million users would be easier to moderate — Twitter proves that in spades — but I do think that trying to police materials of all types across virtually every country on Earth is an impossible task. Furthermore, globe-spanning monopolies are incentivized to avoid moderation.

Dark Patterns Across a Sample of 11,000 Shopping Websites webtransparency.cs.princeton.edu

I recently booked some hotel rooms using a few different travel websites and I’m pretty sure I encountered nearly all of these. Dark patterns are shockingly unethical. They are deceptive, crass, and borderline fraudulent in the case of patterns that sneak unwanted items into a shopper’s cart.

Scrutiny Is the Prize of Success m.signalvnoise.com

David Heinemeier Hansson expanded upon Mike Davidson’s post about privacy problems with Superhuman’s read receipts:

Davidson’s point about the ethical trajectory of a company is spot on. But it goes even further than the single company. There’s an ethical trajectory of a whole ecosystem, and the one in Silicon Valley is in need of some serious recalibration. Springing to the defense of appalling privacy abuses with excuses like “well, everyone else does it” only reveals just how dire the need is for that recalibration. A process that has to start with one company at a time.

But even if Silicon Valley was a beacon of ethical behavior, you’d still want successful startups on a strong trajectory to have their business model and practices subjected to scrutiny in proportion to their success. The more people are using something, the greater the potential for harm (and good). This isn’t rocket science.

Scale radically alters the dynamic of a company’s impact. Consider, for example, how the scale of companies like Uber and Airbnb have made their services as commonplace as the categories they disrupt without similar oversight for safety or ethical business practices.

Scrutiny is a force for good; it should be embraced.

Customs and Border Protection Have Bought Themselves a GrayKey twitter.com

Yesterday, I linked to a story about the use by guards of the border between China and Kyrgyzstan using a device to exfiltrate iPhone users’ data. Though it is a tangential issue, I did not mention that, last year, I sent a FOIA request to the Department of Homeland Security to ask if they owned a GrayKey or had any of its marketing materials. I received a response at the time stating that they did not have anything of the sort.

Now, though, they do. Thomas Brewster noted today that Customs and Border Protection acquired a GrayKey last month. Brewster has written extensively about the capabilities of the GrayKey system. I think it is also notable that, since last month, applicants for U.S. visas have been required to reveal five years’ worth of social media profiles, phone numbers, and email addresses.

FaceTime Attention Correction in iOS 13 Fixes Apparent Eye Positioning During Video Calls engadget.com

Rachel England, Engadget:

The feature, called FaceTime Attention Correction, is part of the latest iOS 13 beta, and appears to use advanced image manipulation to make video-based eye contact appear more natural. It was discovered by app designer Mike Rundle, who tested it out with tech enthusiast Will Sigmon. You can see the feature in action below. It looks like it’s only available on the new iPhone XS and iPhone XS Max, but that likely means future iterations of the iPhone will get it as standard, helping you to completely maximise your FaceTime game.

Video calling always looks a bit unnatural, whether on a smartphone or on a desktop computer, because you’re either looking at the participant onscreen or at the camera — you can’t do both. It’s the kind of thing that can make it feel like participants are not paying attention to each other. This is one of those apparently simple but profound changes that feels very Apple-y.

Chinese Border Guards Are Conducting Surveillance on Tourists’ Phones theguardian.com

Hilary Osborne and Sam Cutler, the Guardian:

An investigation by the Guardian and international partners has found that travellers are being targeted when they attempt to enter the region from neighbouring Kyrgyzstan.

Border guards are taking their phones and secretly installing an app that extracts emails, texts and contacts, as well as information about the handset itself.

Tourists say they have not been warned by authorities in advance or told about what the software is looking for, or that their information is being taken.

Moritz Contag and Cure53 (PDF) published technical analyses of the Android spyware, which appears to dump a fairly comprehensive summary of the phone’s contents and user activity. Raymond Zhong reports for the New York Times that iPhones are connected with a cable to a box that performs a similar task. Presumably, this is something like a GrayKey.

This is obviously intrusive, and points to an increasingly urgent need to make mobile devices as secure as possible. There’s no reason why, in a more authoritarian world, capabilities like this would be used less. Why would China want to restrict this to its borders with just one country? Why would this be restricted only to China?

Meanwhile, American officials have met to discuss outlawing end-to-end encryption, and Australia already has a law that allows them to compel companies to help them with surveillance.

Apple Sans Ive techcrunch.com

Whenever a public-facing executive leaves their job, there will inevitably be a series of stories — typically in business publications — which try to ascertain why they left. Such stories are full of anecdotes and rumours, and it’s sometimes hard to know what to trust or who is grinding what axe.

So, I assume, many of you did the same thing I did for part of this weekend by catching up on a flurry of stories ostensibly giving some background to why Jony Ive is leaving Apple — Mark Gurman and Tripp Mickle wrote the two high-profile pieces, and I also read responses to try to get a handle on their accuracy.

After all that, I was left with the feeling that neither story was entirely convincing. Matthew Panzarino of TechCrunch has written a particularly good piece distilling what he’s heard independently, as well as reflecting on Ive’s legacy:

Even though Jony is a ‘unicorn’ designer, Apple has always thrived on small teams with decision makers, and they’re not all one person. The structure of Apple, which does not rely on product managers, still leaves an enormous amount of power in the hands of the people actually doing the work. I’m not as concerned as a lot of people are that, with Jony leaving, there will suddenly be a slavish hewing to the needs of ‘ops over all’. It’s not in the DNA.

That doesn’t mean however, that there aren’t still question marks. Jony was an enormous force in this company. It is completely natural to be curious, excited and, hell yeah even worried about what his departure will do to the design focused Apple people love to love.

I have intentionally held off on posting much about Ive’s announced departure for the aforementioned reasons, but this is worth reading.

Update: I also think MG Siegler’s piece is wise.

Update: John Siracusa’s take is typically thoughtful and worth your time. This, in particular, bears worth repeating:

As the leader of design at Apple, Ive inevitably receives acclaim for work done by other people on his team. This is what it means to be the public face of a collaborative endeavor involving hundreds of people. Ive himself is the first to credit his team, always using the word “we” in his appearances in Apple’s design videos. One gets the impression that Ive has historically used “we” to refer to the design team at Apple, rather than Apple as a whole, but he certainly never meant it to refer to himself.

While I think it’s been fairly clear that design at Apple is a huge team endeavour — and though many of the pieces published after last week’s news acknowledge that Ive has taken a reduced role in the day-to-day activity of designing for several years — it remains odd to me that the single arbiter of product taste at the company is now Jeff Williams. Nothing against the guy, but it’s strange for Apple that it’s an MBA in that role.

Xiaomi Introduces Familiar-Looking Mimoji theverge.com

Nick Statt, the Verge:

Now, Apple doesn’t own the concept of virtual avatars. It also doesn’t even own the trademark for Memoji. So it’s not fair to say Xiaomi is stomping all over the iPhone maker’s intellectual property; as VentureBeat notes, the concept behind and the use of the phrase memoji existed prior to Apple’s introduction of it into iMessage last summer at WWDC. Additionally, Samsung beat both companies to cartoon AR avatars with its slightly more horrifying Galaxy S9 AR Emoji feature back in February of last year.

There is a lot of prior art here, but it’s pretty clear what Xiaomi is aping with Mimoji. The Ripoff Express seems to keep chugging through Xiaomi’s station. It’s kind of their thing.

A Deep Deconstruction of a Surveillance Feature in One Email Client mikeindustries.com

Mike Davidson wrote about the widespread implications of the sender-controlled read receipts that are enabled by default in Superhuman:

What I see in Superhuman though is a company that has mistaken taking advantage of people for good design. They’ve identified a feature that provides value to some of their customers (i.e. seeing if someone has opened your email yet) and they’ve trampled the privacy of every single person they send email to in order to achieve that. Superhuman never asks the person on the other end if they are OK with sending a read receipt (complete with timestamp and geolocation). Superhuman never offers a way to opt out. Just as troublingly, Superhuman teaches its user to surveil by default. I imagine many users sign up for this, see the feature, and say to themselves “Cool! Read receipts! I guess that’s one of the things my $30 a month buys me.”

When products are introduced into the market with behaviors like this, customers are trained to think they are not just legal but also ethical. They don’t always take the next step and ask themselves “wait, should I be doing this?” It’s kind of like if you walked by someone’s window at night and saw them naked. You could do one of two things: a) look away and get out of there, realizing you saw something that person wouldn’t want you to see, or b) keep staring, because if they really didn’t want anyone to see them, they should have closed their blinds. It’s two ways of looking at the world, and Superhuman is not just allowing for option B but actively causing it to happen. It’s almost as if Superhuman is aiming a motion-sensitive camera outside people’s windows and sending alerts when there is motion. It’s automated and designed to capture info when your family, your friend, your co-worker, or your victim is not aware. You may think “victim” is too harsh of a word to use here, but remember, we aren’t talking about you. We are talking about anyone who might use Superhuman.

This piece is fantastic. It’s not just about read receipts in one not-very-popular email app; it’s about how the ethical decisions that are made early in a company’s life impact its ongoing commitments.

Anyway, always disable images in your email client.

Update: Superhuman CEO Rahul Vohra says that read receipts will now be disabled by default. I think this response is terrific, but as Nilay Patel points out, this mess wouldn’t exist for Superhuman — nor any other app that may be less willing or quick to course-correct — with strong user-centric privacy legislation.

Ignoring Opposition, ICANN Eliminates Price Caps on .org Domain Names reviewsignal.com

Kevin Ohashi, Review Signal:

ICANN, which regulates the domain name system, is reviewing the renewal of the .ORG registry contract with Public Interest Registry (PIR). It’s also running an identical process for .BIZ/INFO/ASIA, but they are of less concern to most people and don’t have the long history of existing pre-ICANN that .org does. The proposal was already discussed between PIR and ICANN staff before being put out for comment from stakeholders. This alone is worrisome that the contract is negotiated behind closed doors and without input beforehand.

[…]

Not only is there virtually no support for this policy, the only people making any argument in favor of removing price caps have captured an ICANN constituency to do it, one that is supposed to represent business interests broadly (not registry interests).

ICANN voted to eliminate the $8.25 per year price cap on .org domains — that is, domains that are for not-for-profit organizations, charities, and other organizations that count on precise budgeting. It’s no wonder there was so much opposition to this; it’s completely mysterious why ICANN would choose to ignore overwhelming support for .org price caps for a slightly different contract.