#Twinning was spilling your data

Seeing a timeline of people merrily uploading their photos to Popsugar’s #Twinning app yesterday prompted me to go full Scrooge:

But, after poking around at Popsugar’s privacy policy, there was nothing out of the ordinary in there. I mean, they’re still sharing user data with advertisers, but no more than any other site of its kind. So I didn’t say any more.

But then, TechCrunch did some real digging into the site’s code, and found:

All of the uploaded photos are stored in a storage bucket hosted on Amazon Web Services. We know because the web address of the bucket is in the code on the Twinning tool’s website. Open that in your web browser, and we saw a real-time stream of uploaded photos.

Oh well.

The hole does appear to be fixed. No real harm done, I suppose – those pictures are being uploaded by people presumably with the very intention of sharing them on social media, so it’s hardly data breach of the year (there’s still time for one more whopper, as I write this).

I must ask, though: how often will we continue to see major data breaches occurring thanks to misconfigured AWS buckets/open AWS database information? Uber, GoDaddy, Verizon, Accenture, the NSA … and many more … all due to mismanaged AWS accounts.

Dear companies that hold our data: In 2019, do better.

An unusual sight at an Apple store: a discount

Rumours of the iPhone’s (and therefore Apple’s) demise have often been greatly, hopelessly exaggerated. But there is plenty in this piece from USA Today to chew over. It begins:

Apple has for years been a premium brand that rarely, if ever discounted products. Period.

Every year, the company could raise prices on products, and consumers would not only happily pay, but stand in long lines for the privilege of doing so.

This isn’t any other year, however. The newspaper reports that visitors to Apple stores this Christmas were greeted with a highly unusual sight: a discount offer. Get $300 off the iPhone XR if you trade in your current model, a poster read. Apple called it “limited time” “instant credit”, but it is what it is: a money off deal for a brand new Apple phone.

USA Today’s writer Jefferson Graham offers this explanation as to why:

Unlike past years, however, Apple didn’t offer consumers much that was new for the 2018 models. The flagship XS and XS Max phones had more power, but that didn’t resonate with consumers who thought their old iPhone 6S and 7 devices ran just fine. The XR has the premium edge-to-edge display of the X series iPhones, minus the second camera lens of those models and shinier OLED screen, but it’s $400 more expensive than the older, entry-level current model.  Analysts say the XR phone experienced the biggest resistance from consumers.

Graham does go on to point out that a “bad” quarter for Apple is still 200 million smartphones shifted, and that part of the slower upgrade cycle might be – not to cosy up to Cupertino too much – the result of recent iPhones being really rather good, and standing the test of time.

And, the entire smartphone market has hit an innovation wall. There are simply no killer features coming with each yearly iteration, and consumers seem content keeping hold of devices until they conk out on them completely, instead of being lured by the latest model.

Apple seems to have seen this coming, and in an effort to fend off any negative share price impact, it said last quarter it would no longer be breaking out iPhone sales in its quarterly results.

The Essential Phone is essentially dead

You know, I had high hopes for the Essential Phone when I tried it out in August 2017:

We’re on the mezzanine, and [Andy Rubin, creator] has the phone in his hand. There’s no logo on it, or indeed any branding whatsoever. It’s made from titanium, which is lighter and stronger than the aluminium most devices are made from – though the phone itself is heavier overall than, for example, the iPhone 7. Titanium shouldn’t bend as much on impact, meaning fewer screen breaks.

It has a ceramic back-casing with a dual-lens camera that doesn’t protrude, so the device can lie flat on its back when resting on a table. There’s an almost-edge-to-edge screen, and, like Google’s Pixel phone, a nifty fingerprint reader on the back to unlock it quickly.

But what makes the Essential Phone different are the two small circular connectors found on its rear. These can be used to snap-on a range of different accessories. The first, a 360-camera, is being offered at a discount when you buy the phone (though they didn’t give me a proper chance to try it out, so I can’t vouch for how good it is).

It was a promising concept, but one that had a fatal flaw. Its stand-out features (those accessories) required critical mass to make any kind of sense. And the company had no real plan to tell anyone about it:

[Rubin] says there won’t be a big event where “one person gets on stage and does a ‘ta-da!’”. You also won’t be seeing a huge advertising campaign, a Super Bowl ad, or anything even close to the kind of effort Samsung has gone to in order to get its devices into consumers’ hands – and that’s a company that has been a known brand for more than 50 years.

After I wrote that piece it also became clear that the software on the device, particularly the camera, was dismally unstable. Who wants a camera that may or may not have just taken a picture?

Earlier this year, the NYT reported that Mr Rubin was the recipient of a $90m leaving present from Google – despite “credible” complaints about sexual misconduct around women.

Damaging as they were, I don’t think the revelations made much difference when it came to the Essential Phone’s fate. On Friday, Android news blog DroidLife noticed that it was basically impossible to buy the device online, including on Essential’s own website:

The Essential Phone switched over to “Out of Stock” on the Essential Shop last week in all colors after not much of a discount (not like this one) during the height of the holiday shopping season. It’s now mostly gone at Amazon too, outside of some resellers trying to get rid of remaining devices, with no Prime shipping available in the last couple of color options. Best Buy removed all listings of the unlocked model and now shows it as “no longer available” if you do find a legacy link to it. That change happened sometime around December 14. The only version sold by Best Buy is the Sprint model. And speaking of the Sprint model, Sprint’s site seems to think they have it, but the page is broken for me and just spins as it tries to figure out how much to sell the phone for.

It later updated its piece to include this statement from Essential, confirming that the phone was, indeed, a gonner. But fear not, Essential fans (anyone?), there’s a new product on the way:

We are sold out of Essential Phone on essential.com and won’t be adding any new inventory. We are now hard at work on our next mobile product and will continue to sell accessories and provide speedy software updates and customer support to our existing community.

LA Times, WSJ and NYT print runs ‘hit by cyber-attack‘

A ransomware attack seems to have severely hit the print runs of the LA Times, as well as other major newspapers that use the LAT’s printing presses to serve the West Coast:

The attack led to distribution delays in the Saturday edition of The Times, the San Diego Union-Tribune, the Chicago Tribune, Baltimore Sun and several other major newspapers that operate on a shared production platform. It also stymied distribution of the West Coast editions of the Wall Street Journal and New York Times, which are all printed at the Los Angeles Times’ Olympic printing plant in downtown Los Angeles.

What’s interesting about this attack is that it appears to have been a strain of the Ryuk ransomware. Here’s more from the LAT:

One company insider, who was not authorized to comment publicly, said the corrupted Tribune Publishing computer files contained the extension “.ryk,” which is believed to be a signature of a “Ryuk” attack.

That’s notable as, unlike most other forms of ransomware, Ryuk attacks are often aimed specifically at an intended target, as explained here by Check Point Research:

Unlike the common ransomware, systematically distributed via massive spam campaigns and exploit kits, Ryuk is used exclusively for tailored attacks. In fact, its encryption scheme is intentionally built for small-scale operations, such that only crucial assets and resources are infected in each targeted network with its infection and distribution carried out manually by the attackers.

This, of course, means extensive network mapping, hacking and credential collection is required and takes place prior to each operation. Its alleged attribution to Lazarus Group, discussed later in this post, may imply that the attackers are already well experienced in the targeted attacks domain, as seen by attacks such as the breach of Sony Pictures in 2014.

Lazarus Group has repeatedly been linked to North Korean operatives working out of China.

But – a couple of notes of caution before we bill this as an assault on the US press by a foreign adversary.

First, if the goal is suppression of information, this doesn’t make much sense – nothing in those newspapers won’t be online already anyway.

Second, Ryuk has been well-documented for some time. There’s a significant chance, I’d wager, that this is simply a repurposed attack from an unsophisticated group trying to make a bit of money from anyone who happens to be running a sufficiently insecure computer system (the type you might find powering a printing press).

Instagram accidentally updates app 

Instagram surprised lots of people with a massive update, one which didn’t go down well at all. Engadget:

If you opened up Instagram today and found that your timeline orientation was totally switched, you weren’t alone. It appears that quite a few users had a timeline that moved left to right, where posts could be tapped through as they can be in stories.

But wait, it wasn’t even supposed to happen…

Regardless, this is coming – though I wonder if Instagram will reconsider this move given the unhappiness displayed by many of those who got the update.

TechCrunch has a full report here.

Recovering a once-lost Sim City

A miracle at Christmas – the long thought lost NES version of Sim City. The game is unfinished, but playable thanks to the Video Game History Foundation:

This version of the game was thought to be completely lost or, at best, confined to some deep dark archive inside of Nintendo’s offices. Either way, the game was seen as something of a Holy Grail among collectors and archivists alike, and the odds of ever seeing it outside of a handful of published screenshots seemed slim, until a cartridge containing an unfinished version of the game materialized at 2017’s Portland Retro Gaming Expo.

Curiously, the Foundation said it was up against a deep pocketed private bidder who wanted to keep this version under lock and key. Who, I wonder?

The (very) unofficial guide to what sold best at Christmas

If App Store download charts are anything to go by, Alexa has smashed Google Home out of the park, while Xbox has beaten Playstation.

Update:

CNBC’s Steve Kovach points out the major flaw with this method – it discounts pre-installed apps kicking into action. Such as…

Facebook’s Kaplan wanted Daily Caller as fact-checkers

Good run down from the Wall Street Journal about the input of Joel Kaplan, a chief policy advisor at Facebook.

As the only high-profile conservative at the company (other than Peter Thiel, who is of course a board member), Kaplan has a significant say in how Facebook tries to appease those that accuse it of bias. Though, if this piece is anything to go by, his contributions have been anything but unifying. From the report:

Mr. Kaplan argued that The Daily Caller was accredited by the Poynter Institute, a St. Petersburg, Fla.-based journalism nonprofit that oversees a network of fact-checkers. Other executives, including some in the Washington, D.C. office, argued that the publication printed misinformation. The contentious discussion involved Mr. Zuckerberg, who appeared to side with Mr. Kaplan, and Chief Operating Officer Sheryl Sandberg. The debate ended in November when The Daily Caller’s fact-checking operation lost its accreditation.

The Daily Caller has a quite shocking rap sheet that any well-minded person would regard as being disqualifying for any involvement with Facebook, let alone as a fact-checker.