Episode 572 – Aussie Tech Heads Shownotes

posted in: Show Notes

Google’s Project Zero discloses Microsoft Edge bug

Details of the security bypass bug were originally shared with Microsoft on 17 November last year, but because Microsoft wasn’t able to come up with a suitable patch within Google’s non-negotiable 90-day fix period, the security researchers made it public.

Project Zero usually gives software companies an extension of 14 days on that 90-day window if a patch is close, but in Microsoft’s case it wasn’t.



Exactly 90 days post-discovery, Google revealed Microsoft’s excuse, quoting: “The fix is more complex than initially anticipated, and it is very likely that we will not be able to meet the February release deadline due to these memory management issues.


An attacker who uses the flaw to get control via a webpage that Edge just loaded can’t modify executable code that’s already in memory, nor can they allocate new memory blocks in which to store rogue code, so Sophos suggested Edge users shouldn’t worry too much about it.

“While this hole doesn’t give crooks a direct way to take over your browser immediately, Edge users can regard it as a vulnerability that could make a bad thing worse, rather than a bad thing in the first place




Amazon overtakes Microsoft in market capitalisation, thanks to booming AWS revenue

Amazon is officially the third most valuable company in the US.

The retail giant surpassed Microsoft in market capitalisation for the first time on Wednesday, climbing to US$702.5 billion.


Amazon still comes in behind Apple, worth US$849.2 billion, and Alphabet, Google’s parent company, which stands at US$744.8 billion as of Wednesday evening. Microsoft currently holds fourth place.

At the close of market on Wednesday, CNBC dubbed Amazon CEO Jeff Bezos the richest man of all time, beating out Microsoft founder Bill Gates, who had an estimated fortune of US$100 billion in 1999. Bezos holds 78.9 million shares of Amazon stock, and currently has an estimated net worth of US$118 billion, according to the Bloomberg Billionaire’s Index.




How an Apple staffer leaked the iPhone source code

In 2016, a low level employee working at Apple’s Cupertino headquarters was convinced by some of his friends in the jailbreaking community to steal some Apple source code for their own security research, two people who originally received the code told Motherboard under the guise of anonymity.


The group of friends never intended on the source code leaking from the initial bunch but nearly a year after the code was stolen someone inside the group gave it “to someone else who shouldn’t have had it,” the sources said.

It’s unclear who exactly leaked the code outside the initial group of friends, but by fall of 2017 people far removed from the initial group had gained access to the stolen code and began sharing the code on forums.

Apple claimed the leaked code is not a security risk for most if any users but some claim the code could still grant attacker insight into potential vulnerabilities and bugs in a key part of the iPhones ecosystem.  




iMessage outage: Telstra customers unable to send messages on iPhone

A Telstra mobile issue resulted in some iPhone users being unable to use iMessage or Facetime for around two hours on Wednesday, with many taking to social media and Telstra’s website to express their confusion and displeasure.


One Twitter user suggested the issue had to do with Telstra’s DNS servers, and claimed it could be remedied by pointing devices to an alternate service, such as Google’s.





NBN reports progress but no timeline for HFC fix


NBN CEO Bill Morrow says the company is not yet ready to reveal a timeline for completing work on the hybrid fibre-coaxial (HFC) portion of its network address performance issues.


“We’re now conducting upgrade work to improve the service quality on HFC and it’s still too early to be specific on timelines for releasing this footprint, but we are progressing quickly and I look forward to updating you shortly,” the CEO told a briefing on NBN’s first half results.

The chief executive said that although NBN had paused sales it had not halted HFC-linked construction work.

“That is continuing at pace and we’re tracking well on declaring premises ready for service,” Morrow said.



Drop everything and download: THRIVE

THRIVE for Android wants to help you take a break from your phone. Lots of breaks, in fact.


There are various settings and options, depending on how cut off from your apps and friends you want to be.

If a specific app eats into your day, turn it on in the App Control list, setting a daily usage limit. Once that’s reached, you won’t be able to Clash any Clans or Insta any Grams until midnight. The app tracks usage over time, too, making it handy even if you set generous limits.

Beyond that, you can trigger the basic Thrive mode for a set period, which stops you using your phone and forces you to focus on something more important. This can be cancelled at any point though. So if you’ve no willpower, try Super Thrive Mode instead, which blocks everything bar an emergency dialler.

THRIVE is currently in beta on Google Play, and is available for free.





Apple Inc. is in talks to buy long-term supplies of cobalt directly from miners for the first time, according to people familiar with the matter, seeking to ensure it will have enough of the key battery ingredient amid industry fears of a shortage driven by the electric vehicle boom.

The iPhone maker is one of the world’s largest end users of cobalt for the batteries in its gadgets, but until now it has left the business of buying the metal to the companies that make its batteries.

The talks show that the tech giant is keen to ensure that cobalt supplies for its iPhone and iPad batteries are sufficient, with the rapid growth in battery demand for electric vehicles threatening to create a shortage of the raw material. About a quarter of global cobalt production is used in smartphones.

Apple is seeking contracts to secure several thousand metric tons of cobalt a year for five years or longer.



A group of video game preservationists wants the legal right to replicate “abandoned” servers in order to re-enable defunct online multiplayer gameplay for study. The game industry says those efforts would hurt their business, allow the theft of their copyrighted content, and essentially let researchers “blur the line between preservation and play.”

Both sides are arguing their case to the US Copyright Office right now, submitting lengthy comments on the subject as part of the Copyright Register’s triennial review of exemptions to the Digital Millennium Copyright Act (DMCA). Analyzing the arguments on both sides shows how passionate both industry and academia are about the issue, and how mistrust and misunderstanding seem to have infected the debate.

The complete arguments go into much more arcane detail over the definition of a “transformative use,” the possible consequences of encouraging jailbroken consoles to re-enable online play, and what exactly counts as a “non-commercial” preservation. Reading over both arguments, though, it feels like preservationists and the industry are talking past each other a bit.

Where one side seeks limited, private access to historical gameplay, the other fears a slippery slope leading to public distribution of hacked-open servers. Where one side see games sitting unplayable for lack of attention from their makers, the other sees a valuable back catalog “vault” it should be able to open and close at will.


A Google security researcher has found multiple security flaws affecting the uTorrent web and desktop client that allow an attacker to infect a victim with malware or collect data on the users’ past downloads.

The vulnerabilities have been discovered by Google Project Zero security researcher Tavis Ormandy, and they impact uTorrent Web, a new web-based version of the uTorrent BitTorrent client, and uTorrent Classic, the old uTorrent client that most people know.

Attacks rely on luring victims on malicious websites

Ormandy says that both uTorrent clients are exposing an RPC server —on port 10000 (uTorrent Classic) and 19575 (uTorrent Web).

The expert says that attackers can hide commands inside web pages that interact with this open RPC server. The attacker only needs to trick a user with a vulnerable uTorrent client to access a malicious web page.

Furthermore, the uTorrent clients are also vulnerable to DNS rebinding —a vulnerability that allows the attacker to legitimize his requests to the RPC server.



Picture this: You’re driving home from work, contemplating what to make for dinner, and as you idle at a red light near your neighborhood pizzeria, an ad offering $5 off a pepperoni pie pops up on your dashboard screen.


Are you annoyed that your car’s trying to sell you something, or pleasantly persuaded? Telenav Inc., a company developing in-car advertising software, is betting you won’t mind much. Car companies—looking to earn some extra money—hope so, too.


Automakers have been installing wireless connections in vehicles and collecting data for decades. But the sheer volume of software and sensors in new vehicles, combined with artificial intelligence that can sift through data at ever-quickening speeds, means new services and revenue streams are quickly emerging. The big question for automakers now is whether they can profit off all the driver data they’re capable of collecting without alienating consumers or risking backlash from Washington.


“Carmakers recognize they’re fighting a war over customer data,” said Roger Lanctot, who works with automakers on data monetization as a consultant for Strategy Analytics. “Your driving behavior, location, has monetary value, not unlike your search activity.”


Carmakers’ ultimate objective, Lanctot said, is to build a database of consumer preferences that could be aggregated and sold to outside vendors for marketing purposes, much like Google and Facebook do today.


A couple of years back, Mattel and Tynker partnered up to produce programming lessons based on Hot Wheels and Monster High. Now the two companies are expanding their partnership to launch seven new Barbie-themed coding lessons this coming summer. The curriculum, aimed at teaching girls about computer programming, will also expose them to them potential careers like becoming a veterinarian, astronaut or robotics engineer. The larger goal is to introduce coding to 10 million kids by 2020.


The Barbie programming curriculum has been designed for beginners grades K and up. It puts learners in career roles alongside Barbie as it introduces concepts gradually. It’s not all just Barbie, of course, with a few different initiatives coming in 2018, including a Mattel code-a-thon and teacher outreach program as well as involvement in the Hour of Code in December. “For close to 75 years, Mattel has taken a visionary approach to advancing play for kids around the world, most recently promoting computer programming and other STEM skills alongside iconic brands like Barbie, Hot Wheels and Monster High,” said Tynker’s Krishna Vedati in a statement. “We are very excited by this expanded partnership and the ambitious — but achievable — goal of teaching 10 million kids to learn to code by 2020 using Mattel brands.”