TikTok: Allegations of Keylogging
August 22, 2022
I am not a TikTok person; therefore, I exist in a trend free zone. Others are sucking down short videos with alacrity. I admire a company, possibly linked to China’s government, which has pioneered a next generation video editor and caused the Alphabet Google YouTube DeepMind thing to innovate via its signature “me too” method of innovation.
Now TikTok has another feature, which is an interesting allegation. “TikTok’s In-App Browser Can Monitor Your Every Click and Keystroke” asserts:
When Krause [a security researcher] dug a little deeper into what these apps’ in-app browsers really do, he’d found that TikTok does some bad things, including monitoring all of users’ keyboard inputs and taps. So, if you open a web page inside of TikTok’s app, and enter your credit card details there, TikTok can access all of those details. TikTok is also the only app, out of all the apps Krause has looked into, that doesn’t even offer an option to open the link in the device’s default browser, forcing you to go through its own in-app browser.
Let’s assume this finding is spot on. First question: Does anyone care? Second question: So what?
I don’t have answers to either question. I do, however, have several observations:
- Oracle, for some reason, seems to care. The estimable database company is making an effort to find information that suggests TikTok data are kept in a cupboard. Only grandma can check out who will be an easy target for psychological manipulation. No results yet, but if TikTok is a neutral service, why’s Oracle involved?
- A number of Silicon Valley pundits have pointed out that TikTok is no big deal. That encapsulates the “so what” issue. “Put that head in the sand and opine forward” is the rule of thumb for these insightful folks.
- Keyloggers are a fave of certain actors. TikTok may have found them useful for benign purposes.
Quite an allegation.
Stephen E Arnold, August 22, 2022
Not a Eulogy for the Semantic Web, Maybe an Elegy
August 22, 2022
If you are into the semantic Web, you will enjoy “The Semantic Web is Dead – Long Live the Semantic Web!” The article has examples, some explanation, and a prediction. Spoiler: The Semantic Web will rise like Lazarus, just wearing Amazon normcore clothing. You know: For everyone.
I noted one passage and circled it in blue:
The political economy of academia and its interaction with industry is the origin of our current lack of a functional Semantic Web. Academia is structured in a way that there is very little incentive for anyone to build useable software. Instead you are elevated for rapidly throwing together an idea, a tiny proof of concept, and to iterate on microscopic variations of this thing to produce as many papers as possible. In engineering the devil is in the detail. You really need to get into the weeds before you can know what the right thing to do is. This is simultaneously a devastating situation for industry and academia. Nobody is going to wait around for a team of engineers to finish building a system to write about it in Academia. You’ll be passed immediately by legions of paper pushers. And in industry, you can’t just be mucking about with a system that you might have to throw away. We have structured collaboration as the worst of both worlds. Academics drop in random ideas, and industry try them, find them useless, and move on.
I believe in the Tooth Fairy, not Jack Benny’s Blue Fairy. The write up, like me, is mostly optimistic. I learned:
The Future of the Semantic Web is there, the Semantic Web will rise, but it will not be the Semantic Web of the past. Humanities access to data is of ever increasing importance, and the ability to make resilient and distributed methods of curating, updating and utilizing this information is key. The ideas which drove the creation of the Semantic Web are nowhere near obsolete, even if the tool chain and technologies which have defined it up to day are fated to go the way of the dinosaur.
Now I am a dinobaby. What about Web 3-ized well-formed XML? Great idea, right?
Stephen E Arnold, August 22, 2022
Microsoft and Its Consumer Focus
August 19, 2022
Blurry or blind? I am not sure. I noted “Microsoft Reportedly Lays Off Team Focused on Winning Back Consumers.” Is the story spot on? I don’t know, but if it is, the write up reveals some interesting information. Here’s an example:
In 2018 the software giant originally detailed its efforts to win back the non-enterprise customers it let down, forming a Modern Life Experiences team to focus on professional consumers (prosumers).
I am not sure what a “Modern Life Experience” is. Maybe the Google outage, the airline baggage theme parks, or living in downtown San Francisco? Also, I have no idea what a Microsoft prosumer is? Maybe a customer? Maybe a power user of outstanding Microsoft software like the auto numbering champion Word?
I noted that Microsoft allegedly has 180,000 employees. So RIFing a mere 200 people amounts to about 0.11 percent of the Microsoft family. What this tells me is that Microsoft was not putting much commitment behind the Modern Life Experiences’ initiative.
But not to worry:
Microsoft’s consumer efforts are now focused on Windows, Microsoft 365, Microsoft Teams for consumer, Surface, and of course Xbox.
Plus Microsoft has a new senior manager to direct the “consumer” efforts. Guess where this individual worked before the Microsoft gig?
That pinnacle of management excellence Uber. That’s a “life experience” I would not want on my résumé.
Stephen E Arnold, August 19, 2022
Can Ducks Crawfish? DuckDuckGo Gives Reverse a Go
August 19, 2022
I read “DuckDuckGo removes Carve Out for Microsoft Tracking Scripts after Securing Policy Change.” I learned:
A few months on from a tracking controversy hitting privacy-centric search veteran, DuckDuckGo, the company has announced it’s been able to amend terms with Microsoft, its search syndication partner, that had previously meant its mobile browsers and browser extensions were prevented from blocking advertising requests made by Microsoft scripts on third party sites.
The write up contains Silicon Valley-type talk about how its bold action and deep thinking sparked the backwards duck walk.
I am not sure if ducks can walk backward. In fact, after a security company assured some folks that privacy was number one and then was outed as a warm snuggler of tracking, will I trust the Duck metasearch thing?
The answer is the same for any online service with log files: Nope.
Oh, for the record, some ducks can waddle backwards for a couple of steps and then they try to walk, hop, or swim forward. The backwards thing is an anomaly. Perhaps you have seen a duck do a bit of nifty backwards walking? I have but it was laughable. Some of my test queries on the Duck have been almost as amusing.
Stephen E Arnold, August 19, 2022
An Amusing Take on Pearson and Non Fungible Tokens for Textbooks
August 19, 2022
I read “Absolutely Terrible Textbook Publishing Giant Pearson Wants To Make Everything Even Worse With NFTs.” The write up states:
There’s an oligopoly of just five giant publishers, and they long ago learned that they are in the best market ever: the buyers of their textbooks (the students) have no choice and are forced to buy the books if their professors assign them — and more such books will get sold every semester that the professor requires it. Therefore, textbook prices are insane by any imaginable standard.
I think the viewpoint is one widely held. However, why not consider the issue from the point of view of the oligopolies themselves.
First, creating textbooks is an expensive, time consuming business. Once one of these textbooks is adopted widely, then that book becomes the goose that lays golden revenue eggs semester in an semester out. A professional involved with the turgid and generally crazy economics textbook was known as “Sammy” where the professional worked. This person told me that “Sammy” was in double digit editions and would continue on this path of persistent revisions to keep that money coming in. Losing the Sammy thing, the publisher’s textbook division could plunge into red ink quite rapidly. Therefore, the oligopolists want to hang on to their winners, keep others like professors who will write a book and make it available under Creative Commons or some similar nonsense, and make old editions useless to students in class now. I thought that was useful information when I learned it a decade ago. I have no reason to believe that the insight remains valid today.
Second, some countries won’t buy or authorize use of US textbooks unless those books are in the languages identified by the country as acceptable. Canada, for instance, once required that Ukrainian be used in textbooks in one province because a majority of students spoke that language. Of course, the textbooks had to be available in French and English too. Translating nearly incomprehensible gibberish about economic, political science, or organic chemistry is expensive. Don’t forget the workbooks, the online tutorials, and other collateral required to land the “adoption”.
Third, professional publishers are not well known as businesses. One doesn’t learn how to build a monopoly on legal, accounting, or government regulatory information in business school. One learns the art and craft of taking essentially jargon filled content and converting it into something that a person skilled in a field can use to justify high fees. This “learning” occurs when a person studying law gets to buy textbooks. A tiny percentage of lawyers accept work at a professional publishing house and can practice the art of monopoly.
Each of these three factors is expensive — creating books, getting adopted and conforming to buyer rules, and hiring people and letting them learn how to be professional publishers.
I remember a meeting at Cornell University years ago. The topic of publishing papers in an online journal or a peer reviewed journal would be acceptable for those on a tenure track. The answer was [a] writing a widely adopted textbook was important, [b] publishing in a peer reviewed journal owned by a professional publishing outfit was very helpful, and [c] doing anything without the blessing of the professional publishers was stupid. Today it may be different.
But high prices mean quality. Why shouldn’t certifiers of the best and brightest charge a lot of money? Professional publishers will point out that that is the way oligopolistic certifiers work. Don’t like it? Don’t go to school. Besides NFTs are hip, and professional publishers want to be with it.
Stephen E Arnold, August 19, 2022
TikTok Says Hello, Spotify, Hello, Apple Music
August 19, 2022
Like Facebook before it, Spotify may soon find itself in a defensive position against TikTok. The Hustle briefly describes “TikTok’s Grand Plans to Take Over Our Ears.” Writer Jacob Cohen reveals:
“For the last couple years the trend for many has been to hear a song on TikTok, then listen to it on Spotify. TikTok is, in fact, that much better at discovery: 63% of users discover new music on TikTok before any other platform. As a result, TikTok finds itself in a position where it should probably just start hosting music itself. And it’s already starting. Abroad, in India, Brazil, and Indonesia, TikTok operates an app called Resso, which is like a more social Spotify. Stateside, Insider recently spotted a trademark filing for a “TikTok Music” app. Yesterday, TechCrunch reported similar filings in the UK, Singapore, New Zealand, Mexico, Malaysia, and Costa Rica.”
It is no surprise that Resso‘s approach is to be like Spotify, but more social. The write-up notes social media’s recent emulation of TikTok has spread to the audio content field. We wonder—once the thriving app conquers sound, what will it take on next?
Cynthia Murrell, August 19, 2022
Amazon Twitches with Never Complain, Never Explain
August 18, 2022
In 2019, I included a short case example in a lecture for the National Cyber Crime Conference attendees about a Twitch luminary to be. The creator’s name was and is “iBabyRainbow.” The individual wears a bathing suit, purports to be a teen, and cavorts in San Diego. The creator also has some interesting videos findable via Web queries with the name “BabyRainbow.” I pointed out that Amazon Twitch seemed A-Okay with this creator. I checked to see if this creator was still online after I read “Twitch’s Zero-Explanation Bans Continue to Baffle Streamers, This Time a Popular VTuber.” I was and remain puzzled how the “iBabyRainbow” persona fits into the Amazon Twitch rules of the information highway.
The answer, if the information in the cited article is accurate, Amazon Twitch adopts the British upper class maxim “Never complain, never explain..”
The write up describes the plight of a creator who is a cartoon or in young person speak a “VR chat model.” Viewers watch a cartoon and interact in real time. I think this means that the VR chat model talks to the viewers. Interesting but not exactly comprehensible to this dinobaby. I get the willing suspension of disbelief argument, but, actually, no, I don’t get it. At all.
The write tip states:
Shylily and the many other streamers who make a living on the platform are frustrated with Twitch’s lack of communication when it comes to abrupt suspensions. In May(opens in new tab), the streaming site said it was looking into providing more context with the bans it sends out, but hasn’t made any further announcements about implementing this policy. At the time, Twitch said it stood by the accuracy of 99% of its suspension decision.
I interpret this as “never complain, never explain.” Very upper crust, old chap and chapatti. My perception is that Amazon Twitch wants to avoid being tangled in its own rules. Without spelling out the rules on the Amazon Twitch information highway, the company retains some flexibility. The Amazon Twitch executives can do the “Senator, thank you for the question” and the stone walling of which some legal eagles have considerable expertise.
And iBabyRainbow? A bit of a mystery that. A cartoon is problematic but a “teen” on a motorized skateboard holding a mobile phone with a rainbow colored swim suit? Perfectly okay for the teen agers who seek inspiration from Amazon Twitch stars. This dinobaby does not understand.
Stephen E Arnold, August 18, 2022
Forget Data Vacuum Cleaners. Think Amazon Ads
August 18, 2022
I do not read on a regular basis the online publication called “Hustle.” I made an exception for the write up “Amazon’s Ad Biz Is Growing Faster Than Its Rivals.” The write up states:
What is surprising is that Amazon’s digital ad revenue grew 18% YoY to $8.76B in Q2 — more than analysts expected and outpacing Google and Facebook. In fact, Facebook’s revenue shrank for the first time ever by 1.5%.
The Hustle article adds an interesting factoid, which I assume is 100 percent rock solid:
Amazon also has a virtual product placement tool, meaning it can insert brands into its TV shows and movies in postproduction.
I noticed that the nifty chart with a towering growth bar for the Bezos bulldozer noted ad performance for a number of outfits. There was one, in my opinion, glaring omission: TikTok.
I wonder why.
Stephen E Arnold, August 18, 2022
Terrorism and Big Data: A Solution?
August 18, 2022
I recall hearing that a person allegedly named Ayman al-Zawahiri was a terrorist and, thus, became a target for the US. (I thought an entity named Ayman al-Zawahiri had been terminated on one, maybe two previous occasions. But maybe not. Since that action, I have noted a number of terrorism related articles. One that caught my attention was “How Big Data Is Helping Fight Terrorism?” The article contains a shopping list of intelware functions. These types of content types and their applicability to deterring terrorism can, for some, be difficult to find. Here are the items on the list presented in the article. For definitions of leach function, please, consult the original source:
- Processing test, audio, and video inputs. The idea is that intelware can do this work more quickly than officers and analysts.
- Identifying money laundering activities. The gist of this function is that intelware can detect actions and patterns more quickly and effectively than investigators.
- Pattern identification. The idea I think is that smart software can extract from large data sets sequences or connected events better than a person sitting in a cube in a government office.
- AI and machine learning. The author is confident that smart software can improve, learn, and operate in a more effective way than a task force.
- Risk projects. Smart software can identify that doing A presents a greater likelihood of taking place than B.
Stepping back from this list, it is clear to me that the hype, the PR, and the jargon of intelware has diffused outside of specialist circles and been recycled in a particularly snappy way. From my point of view, this article is quite different from the information my team and I will present at an upcoming law enforcement conference in mid September. The jazz and zing of marketers has obscured a number of very important points about what intelware can and cannot do. In fact, there are more cannots than many want to accept.
Stephen E Arnold, August 18, 2022
Albert the (Bug) Bounty Hunter
August 18, 2022
Albert Pedersen, an inquisitive scholar in Denmark, makes a hobby of prodding software for vulnerabilities. Now he has proudly collected a bounty after his second successful hunt. Gizmodo reports, “A College Student Discovered a Bug in Cloudflare Email Routing that Let You Read Any User’s Emails.” Email routing services allow users to create disposable email addresses that point back to their “real” accounts and can be valuable privacy tools. That is, if they are truly secure. Writer Lucas Ropek reports:
“Unfortunately, as demonstrated in research published Wednesday by a college student from Denmark, Cloudflare’s service had a giant bug in it. The flaw, when properly exploited, allowed any user to read—or even manipulate—other users’ emails. … The vulnerability, which Cloudflare has confirmed but says was never exploited, involved a flaw in the program’s ‘zone ownership verification’ system, meaning that it was possible for a hacker to reconfigure email routing and forwarding for email domains that weren’t owned by them. Proper manipulation of the exploit would have allowed someone with knowledge of the bug to re-route any users’ emails to their own address. It would have also allowed a hacker to prevent certain emails from being sent to the target at all. In his write-up, Pedersen notes that it’s not that difficult to find online lists of email addresses attached to Cloudflare’s service. Using one of those lists, a bad guy could have quite easily targeted anybody using the forwarding service. After discovering the exploit, Pedersen managed to reproduce it a number of times using multiple personal domains and decided to report the issue to Cloudflare’s bug bounty program.”
We are sure Cloudflare considers the bounty to be $6,000 well spent. Had the bug gone unsquashed, the repercussions may have gone well beyond the troublesome privacy issues. Bad actors could also have used it to reset passwords, gaining access to financial and other accounts. As Ropek points out, this is a good illustration of why two-factor authentication is worth the hassle. As talented as he is, the intrepid young Dane is only one person. He may not catch the next bug in time.
Cynthia Murrell, August 18, 2022