By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Linked List: January 8, 2018

Monday, 8 January 2018

What Spectre and Meltdown Mean for WebKit ★

Great explanation from Filip Pizlo on the Spectre and Meltdown-related changes that have shipped (and will ship) in WebKit. Includes a pretty good overview of how the Spectre exploit works.

How Meltdown and Spectre Were Independently Discovered by Four Research Teams at Once ★

Great piece by Andy Greenberg for Wired:

Yet when Intel responded to the trio’s warning — after a long week of silence — the company gave them a surprising response. Though Intel was indeed working on a fix, the Graz team wasn’t the first to tell the chip giant about the vulnerability. In fact, two other research teams had beaten them to it. Counting another, related technique that would come to be known as Spectre, Intel told the researchers they were actually the fourth to report the new class of attack, all within a period of just months.

“As far as I can tell it’s a crazy coincidence,” says Paul Kocher, a well-known security researcher and one of the two people who independently reported the distinct but related Spectre attack to chipmakers. “The two threads have no commonality,” he adds. “There’s no reason someone couldn’t have found this years ago instead of today.”

90Fun’s Puppy 1 Auto-Following Suitcase Won’t Stop Falling Over ★

Natt Garun, reporting for The Verge from CES:

Last week, 90Fun announced an autonomous suitcase that uses Segway’s self-balancing technology and a remote control to follow you around, leaving your hands free. We took 90Fun’s Puppy 1 suitcase for a spin at CES, and it’s clear that the vision of hassle-free travel is still some ways away.

We were only able to play with a prototype of the Puppy 1, which means that the design is not yet final.

You’ve got to watch the video. It’s mind-boggling that this was deemed ready to demonstrate publicly. This is like a parody of bad CES demos.

Pharmaceutical Ads in the U.S. ★

From Harper’s Index for January:

Amount the US pharmaceutical industry spent in 2016 on ads for prescription drugs: $6,400,000,000

Number of countries in which direct-to-consumer pharmaceutical ads are legal: 2

Electronic Toymaker VTech Settles for $650,000 With FTC Over Children’s Privacy Suit ★

Shannon Liao, reporting for The Verge:

The Federal Trade Commission said today that the electronic toymaker VTech Electronics has agreed to settle for a fine of $650,000, to be paid within the next seven days, after charges that it violated children’s privacy. The Hong Kong-based VTech is also the parent company of LeapFrog, a popular brand for educational entertainment for children.

The FTC alleges that VTech collected “personal information of hundreds of thousands of children” through its KidiConnect mobile app “without providing direct notice and obtaining their parent’s consent.” The personal information included children’s first and last names, email addresses, date of birth, and genders. VTech also allegedly stated in its privacy policy that such data would be encrypted, but did not actually encrypt any of it. […]

The settlement dates back to the 2015 data breach that VTech suffered. By November 2015, about 2.25 million parents had registered and created accounts on VTech’s platform for almost 3 million children. At the same time, VTech was informed by media that a hacker had accessed its computer network and children’s personal information.

$650K is a slap on the wrist for a company with billions of dollars in annual revenue.

Goodbye Android Pay, Hello Google Pay ★

Pali Bhat, writing on the official Google blog:

Today, we’re excited to announce we’ll be bringing together all the different ways to pay with Google, including Android Pay and Google Wallet, into a single brand: Google Pay.

This makes sense. Or better said, I don’t think Android Pay ever made sense as a brand from Google’s perspective. “Google Pay” works as a brand anywhere, on any device.

It seems to me that Google is stepping away from promoting Android as a brand, period. Take a look at the web page for the Pixel 2 phones and search for “Android”. I see one match, and it’s a small print footnote.

How to Take a Picture of a Stealth Bomber Over the Rose Bowl ★

Fascinating interview by Alexis Madrigal with aerial photographer Mark Holtzman:

Madrigal: So that’s the picture as you took it right out of the camera, or did you have to crop it?

Hotlzman: I always crop it a little. I had to rotate it a little. In the uncropped version, I had the whole stadium, plus some of the parking lot. Unlike film, the way you shoot digital is you shoot wider and crop it in. It’s hard. Things are happening really quick. It’s very fluid. I’m flying at 100 miles per hour. They are flying 200 miles an hour in the other [direction]. So, that’s 300 miles per hour. Things happen really quickly.

Just an incredible photograph.