 Coming up on DTNS, the scoop on the Capital One data breach. Good news for Image Sensor company Sony and whether infinite scrolling should be illegal. This is the Daily Tech News for Tuesday, July 30th, 2019 in Los Angeles. I'm Tom Merritt. And from Studio Feline, I'm Sarah Lane. From Studio Threat Wire, I am Shannon Morse. And I'm the show's producer, Roger Chang. We were just talking to Shannon about egg rice and her thoughts on the shirt air conditioner from yesterday's show. That's all on Good Day Internet. Plus some late breaking news. If you're not getting good and Good Day Internet, figure out how at patreon.com slash DTNS. Let's start with a few tech things you should know. The refresh of Android Auto that Google announced at Google I.O. earlier this year is starting to arrive finally this week. It includes an updated layout, an app launcher, notification tab, new typeface and dark mode by default. Instead of category icons along the bottom, the new Android Auto has an app launcher button, notification bell and Google Assistant shortcuts. Yay. Microsoft announced Skype for Business Online will be retired July 31st, 2021. Starting September 1st of this year, new Office 365 customers will be given teams instead of Skype for Business Online. Microsoft Teams group chat service is considered a feature parody with Skype for Business Online, but it is still pursuing feature requests for teams from Skype for Business Online users. Got a year to make it so people don't hate teams worse than they already hate Skype for Business Online. AT&T announced that later this summer it will change the name of its Direct TV Now streaming TV service to AT&T TV Now because there weren't enough Ts in it before. Current Direct TV Now subscribers won't really need to do much. They'll need to re-accept terms of service and re-log in once the change happens. Otherwise, everything for the moment at least will stay the same. The company will also launch a new TV streaming service called AT&T TV without the Now. That will use a thin client set-top box, so it's kind of a way to give folks cable without having to make them buy a Roku or Apple TV, I guess. Both AT&T TV and AT&T TV Now will be accessible from the same mobile and connected television apps. If you're confused, please see next week's Chord Killers. MediaTek released two gaming-focused chipsets for mobile, the G90 and G90T 12-nanometer oct-core chips. The MediaTek G90 and G90T chips clock up to 2.05 GHz and can support 10 gigabits of LPDDR4 X-RAM and contain ARM's Mali G76 GPU with speeds of up to 800 MHz. It's also compatible with the HDR10 10-bit color depth. A Xiaomi gaming phone with the MediaTek chip will be released soon. All right, let's talk a little bit more about Google saving iOS' security. Yay, Google! Natalie Silvanovic and Samuel Groesch, researchers at Google's Project Zero, discovered six vulnerabilities an iMessage for iOS. Five of them were patched in last week's iOS 12.4 update. Four of them including the one unpatched vulnerability requiring an attacker to send a message with malicious code that executes upon opening. The other two were memory exploits, lots and lots of exploits. Yeah, so the five that were patched have been revealed, but Project Zero is only acknowledging that there's an unpatched one. They're not making any details about it until it's actually patched, right? Right, that's correct. And rightfully so, because they don't want to announce all of the information that tells people how to be able to exploit this. And the interesting one I really enjoyed reading about was the iMessage one, which apparently requires no interaction from the user. I did read up on the CVE for this issue. It's issue 1873, which specifically says it can be reached remotely via iMessage and crash springboard with no user interaction. You don't even have to open the message, just receiving it. Yeah, apparently you just have to receive it. It does state no user interaction. So it's kind of fascinating that all you have to do is get one of these exploitable messages, which has malicious code built in to have your iPhone thereby become exploited. So pretty serious issues, definitely something that you should consider updating for. Now, I know it's tempting for a lot of people out there to think of this as, wow, Apple being bad and Google saving them. I tend to say companies are going to have bugs. It is impossible for any company to anticipate every bug. That's just not how coding works these days, sadly. What you want to do is catch the bugs before the malicious actors catch them. And one of the great things that Google does is Project Zero, which just goes out and looks for bugs everywhere, because Google knows that it has users on iOS, and it doesn't want them to be hacked. So it wants to make the world safer. This is one of those areas where I think Google is doing not evil stuff, right? They're doing good. Yes, they are. They don't just focus on Chrome or Android. They've used Google's Project Zero for all sorts of vulnerabilities, including Apple in this example as well. So it is, I agree with you, one of the really good things that Google has been focusing on because it does make the world safer, not just their customers. So they're focusing on it as a whole. And this one, in terms you are correct in saying that it hasn't gotten out into the public in the wild. So nobody has necessarily exploited any of these attack vectors, but they could have. So it's good that Google's Project Zero has already gone ahead and worked with Apple to fix these. So as long as you are really adamant about making sure that your device is updated, then you should be perfectly fine. All right, let's check in on Huawei. Huawei reported its official first half earnings, and we're trying to continually keep you up to date on what's going on with this, because there's a lot of misinformation flowing around about it. As expected, remember, Huawei had said some warnings. We talked about them before. This is their official announcement. Revenue grew 23.2%. Smartphone shipments rose 24%, both of those year over year. Now, US trade restrictions on Huawei didn't start until May 15. And that's almost to the end of the half, right? The half year ends on June 30. So the restrictions didn't have a lot of time to have an effect. A lot of folks are casting this story as like, Huawei resists the problems with the trade restrictions. First of all, they didn't start till nearly the end of the half of the year. And second of all, a lot of the effects of the restrictions wouldn't be felt immediately because they had stockpiles of chips and all of that. Also, don't forget that those restrictions were eased on June 29 right before the end of the half. So they started to ease up and may not have too much of an impact on the second half. We'll see, although those restrictions being eased are only eased until August 19. We don't know if they'll extend the easing of the restrictions past then. So that's where we're at. However, Q1 revenue at Huawei had been up 39%. And a half of restrictions seems to have had an effect because they were only up 23.2%. So even that short month seems to have brought down Q2, which usually is a little bigger than Q1. Cannellus estimates that Huawei shipped 37.3 million smartphones in China in Q2. That's up 31% in China raising Huawei's Chinese market share by 10 points, while all other competitors, Oppo, Vivo, Xiaomi, and Apple saw declines. So the trade restrictions may also have had an effect in China causing the domestic market to rally Huawei and Huawei. Last month, Huawei CEO Ren Zhengfei said the restriction would cost the company $30 billion in revenue. They're not changing their tune. They're saying, yep, this is still going to impact us in the second half. Huawei also said it had secured 50 commercial 5G contracts around the world and shipped more than 150,000 5G base stations around the world. On the one hand, that means, hey, they're still selling their 5G equipment, even though the United States is trying to convince countries not to buy them. But that's not a huge number. It's not as small as it may sound because we're talking about big networks that we're not talking about mass markets like phones, but it's not them selling to a ton of countries out there. So it sounds like in the very short version of this is Q1, not bad. Q2, not bad. Q3, we might see some long-term effects of what Huawei is going through. Although the Chinese market, if it continues to double down there, which why wouldn't it, is stronger than ever. Yeah. Q2 was some impact for the bad, some impact for the good. We'll see if that carries on. It depends on whether those trade restrictions stay eased, then it probably won't be so bad, but they are going to have a slowdown. So that's where you are. Huawei isn't in great shape, but they're not in horrible shape. And I think that's probably right where trade negotiators for the United States would like them, so that it's not pushing them too far to the edge, but you're still saying, hey, we could make it worse if you don't deal with us. That seems to be what's going on. In other earnings news, company called Sony, it's an imaging sensor company, perhaps you've heard of it, reported record operating profit on strong demand for multiple lens cameras for smartphones. Profit from image sensors was 49.5 billion yen, up from 29.1 billion just a year ago and offsetting a 9.6 billion drop in Sony's gaming business. Sony smartphone revenue also dropped by 15% over last quarter, so not doing great in that area. Sony warned the tariffs on Chinese products in the U.S. could cause a game console price hike, which might also slow PS4 sales even more. The PS5 isn't expected to arrive until late next year, so we're at least a year out from that. Also, it's estimated that Huawei accounts for 15% to 20% of Sony's image sensor business, leaving questions about how they may be affected as well. Yeah, I mean, it ties back in that last story. If Huawei turns out to be okay, then Sony will probably still be able to keep selling them image sensors. If Huawei suffers and can't build the phones, then Sony won't be able to sell them image sensors. It's not about whether they're blocked by trade because Sony is a Japanese company. It's whether Huawei is going to be in a buying mood if they're in shape to buy the sensors. I really hope that it doesn't hurt Sony's imaging sensor business because they do make incredibly quality camera sensors, not only for smartphones, but also their own lines of point and shoot and DSLRs as well. What I am very curious about is, you know, the PS4 sales, obviously those are going to drop off since the PS4 is an older console at this point with lower end features compared to what we are starting to see announcements for, but they are intending to sell that PS5 late next year. So hopefully with all the trade disputes and everything, hopefully that doesn't mess with the tariffs too much because I really don't want to see a price hike on consoles personally. I really, really don't. Yeah. And Sony, you know, like many companies, including Apple, throwing out the warning saying, Hey, let's not put those tariffs on US. Those warnings, I don't think have any effect on whether the tariffs are going to go into place or not. It all depends on other political considerations, but it might raise the price of your PS4, which would slow sales of PS4, which would also not be good for Sony. And that would in turn probably slow the sales of PS4 accessories, some of which are made in the US. Yeah, it could have a cascading effect. You're right. Real quickly, Shannon, before we get to the next story, Apple earnings coming in, Sarah, we'll probably talk more about what they mean after we hear about the call yesterday, but how are they looking? Well, it's a mixed bag from what we're seeing. And again, very preliminary Q3 revenue of $53.8 billion, which is up 1% year over year, not a big jump. Record services revenue of $11.5 billion up from $10.2 billion year over year. iPhone revenue alone of $26 billion, which is down from $29.5 billion year over year. Stock is up a little bit, and it will probably be fluctuating quite a bit before we're over the show. All right. Shannon, tell us how Nintendo did. Yay, consoles. Nintendo announced it had sold 36.87 million switch units worldwide. Nintendo sold 2.13 million switch units this past quarter. Up 13.2% increase over the last year. 3DS sales were down 45% on the year ahead of the Switch Lite. Nintendo's operating profit dropped 10.7% year over year, although net sales were up 2.14% at 172.1 billion yen. Nintendo also said Super Mario Maker 2, just on its own, sold 2.42 million units in 3 days during the quarter. That's a very large number. That's just shy of a million a day, isn't it? Yeah, I can do math. No, really good Nintendo quarter. Even though the revenue was down, that was expected. What they want to see is these strong Switch sales units. I think a lot of people weren't sure if the Switch Lite announcement would undermine Switch sales or undermine 3DS sales, and it looks like it undermines 3DS sales, which is I think what Nintendo would want. They want people to go from the 3DS to the Switch Lite. They don't want to undermine the Switch main console. Yeah, it's not that surprising to me at all that the Switch Lite ended up doing that with the 3DS, especially because the Switch Lite has compatibility with games that are currently out for the Nintendo Switch, and not only that, but they will be introducing the one that has better battery, the full-size Nintendo Switch that's compatible with your TV too. I have a feeling that we're going to continue seeing Nintendo really competing in that market because they have been doing just a great job this past year. Let's talk about social media and our addictions to it. US Senator Josh Hawley introduced the Social Media Addiction Reduction Technology Act, aka the SMART Act, that would make it illegal for social networks to use infinite scroll or autoplay media. Achievements that don't substantially reward users, for example, Snapchat's streaks would be against the law, and networks would be required to provide a natural stopping point that encourages users to take a break. No social media network is going to want you to do that, but okay. Exceptions would be made for music-focused services. The US FTC and state attorneys could take action against companies and the FTC and Department of Health and Human Services could jointly write new rules for new features should this go through. How do we think the chances are? It's not good. Senator Hawley has been behind a number of tech-focused attempts at bills. I'm sure they will help him in his campaigns. None of them have got traction. I don't expect this one to get any traction either. Neither do the people who are much smarter about this stuff at the Hill and Justice Robert Young and them. But it is interesting to look at because it says stop autoplay media, which immediately has me irrationally excited until you read the bill and you find out he carves out an exception for advertisements. No. Yeah. So no, I am not in favor of this bill at all. And on a more serious note, legislating features or as Tector put it, appointing the US Congress as the product manager for social networks never works out well. It's too specific. If you're going to legislate, you need to legislate towards results. You need to legislate against harms. But this is telling social networks how to design their products. And as well-intentioned as it may be, it always has unintended side effects and doesn't work the way people wish it would work. Exactly. Yeah. The whole idea of encouraging somebody who might be on a social network quite a bit of the day every day to take a little bit of a break. Well, that's one thing, making certain features illegal because it has been deemed that no human should withstand this kind of thing. That is just a not one size fits all type of solution. I could definitely see like social media influencers or social media managers really advocating against this bill if it did end up going into the system. But personally, the idea of not having autoplay, but for advertisements as well, that would be really nice. Well, and also exceptions for a music focused service. I think of how easily you could just get around some legality issues. Well, we've got music. Yeah. Okay. I'm no longer, because the social network is defined as something focused on user interaction. Well, suddenly you change your mission statement. Like, oh, we're not focused on the social interaction. There's so many devils in the details here that I don't know that this is a good idea. But man, if we could just focus on banning all autoplay media, then I just might throw my libertarian ideals out the window. Can we just ban social networks and call it a day? Social network is gone. That's all of it, right? We can't have these nice things. It just doesn't work out. We can't have nice things act. We'll be coming soon. Well, folks, if you get all the tech headlines each day in about five minutes, that means you are subscribed to dailytechheadlines.com. And if you don't, you're not. So go get subscribed. All right. The big news of the day. Capital One announced Monday that names address his phone numbers, credit scores, limits, balances, payment history, birth dates, income levels, and contact information were accessed by an intruder into Capital One's systems. Also, fragments of transaction information from a total of 23 days across 2016, 2017, and 2018. This information came from cardholder and card applicant information stored in an Amazon web service database between 2005 and 2019. 100 million customers in the United States were affected, 140,000 of them leaked out social security numbers, and 80,000 of them leaked out bank account numbers. 6 million Canadian customers were affected with one million social insurance numbers leaked. There is no evidence that the information has been used for fraud or even that it's out on the open internet at this point. There's also no evidence that it's not. But the investigators, including the FBI, do not think that it's out there. They're continuing to investigate. Effective customers of Capital One will get free credit monitoring and identity protection anyway. How did this happen? Well, a GitHub user saw a post July 17th boasting about the attack that GitHub user alerted Capital One. The FBI was called and was investigating. The FBI found GitHub posts, Slack messages, Twitter DMs, linked to the person who had breached Capital One's database. IP logs showed that access to GitHub posts and the cloud server with the Capital One data came from the same VPN service. That is a coincidental information that seems to point to the same person. The US Department of Justice arrested Paige Thompson, sometimes goes into the name Eradic, 22 years old, on Monday. Thompson is charged with computer fraud and abuse with a hearing set for August 1st. She was a systems engineer at Amazon Web Services between 2015 and 2016. She's not currently employed by Amazon. The access to the Capital One database occurred March 22nd and 23rd of this year. It did not exploit a vulnerability in Amazon Web Services. Amazon says, we're tight. This was not our problem. What Paige seems to have done is exploit a misconfiguration of Amazon Web Services of Capital One's web app firewall. Capital One says it was a misconfigured web app firewall in its own infrastructure that Thompson accessed. The maximum penalty that Thompson could face for computer fraud and abuse is about $250,000 and five years in prison. A class action lawsuit has been filed in federal court Tuesday morning against Capital One, probably for negligence and allowing this to happen. The attorney general of New York and Connecticut have also announced their investigations as well. This is a bad breach, Shannon, in that it has Social Security numbers and bank account numbers. Could have been worse. It doesn't have credit card numbers. It certainly won't be as bad as it could be if it's true that none of this has been used or leaked out onto the open internet. What's your take on this? Correct. We have not seen any proof that it has been used in the wild or that Ms. Thompson had indeed released this anywhere other than just saying online publicly and through DMs, through social media that she was indeed the person behind this hack. So it sounds like she was just going online and saying like, hey, I did this thing and that's it, but she didn't actually put any of that detail online. I am happy that they are allowing for credit monitoring and identity protection for any customers that are affected. That's good. I'm also glad that the attorney general is doing an investigation into this because that breach shouldn't have been available in the first place. This should not have been something that they had the ability to do that Thompson had the ability to do. I also have a lot of concerns about them putting data on an AWS platform externally. So that's a whole another thing right there. But the big question that I had when I was researching this was why don't they have any kind of bug bounty program? Because I was looking through this and I was like, hold up. Why would somebody hack Capital One, this American company, if they have some sort of bug bounty program? So it turns out Capital One has a responsible disclosure program, which allows you to send them an email with a whole submission format that you should abide by to in turn give them information about any kind of vulnerabilities that you might find and any kind of exploits you can run against their different servers and websites and everything behind their data. But they don't pay out any kind of reward or compensation for that. So they don't have a public bug bounty program, which we are seeing a lot more these days. So I do find it kind of disappointing and unfortunate that Capital One didn't have the forethought to create some kind of bug bounty program that would kind of incentivize hackers to go about this, the white hack way of actually going in and responsibly disclosing this and getting some kind of incentivization back because they are indeed anybody that goes in and hacks some place, they are working for this thing. So I feel like they should be incentivized to give you that information instead of taking it to a black market, for example. I think it would be a lot better. And maybe, of course, I don't know Thompson myself, but maybe if they did have some kind of bug bounty program with compensation, this wouldn't have happened in the first place. Yeah, she might have been more willing to take the money, right? We don't know. It's impossible to say. But it's possible that that could have happened. And even more so, there might have been more eyes looking for this kind of vulnerability and might have, someone else might have found it instead of Thompson and collected the bug bounty and they get it patched up without any harm happening. Instead, you have, we're teetering on the edge of hoping that this isn't bad. Exactly. Because if they caught her before it was posted publicly and she's the only one who saw it, then I hesitate to say no harm done. But that's not the disaster that this could be if this gets out on the internet, in which case we have an Equifax style breach again. Yeah. And definitely, still harm done because I do feel for hackers, especially young ones, who may not understand what position they're putting themselves into if they do put this kind of information out there, or if they do do these kinds of hacks illegally, because there is a lot of responsibility that they end up having to deal with if they end up doing something like this. Even if it's accidental, or if they don't understand the legal guideline that they should be abiding by, especially here in the U.S. with the Computer Fraud and Abuse Act, those are really serious consequences that you can run through. And if you're a 22 year old hacker who may not understand what you're putting yourself against, then you may end up ruining the rest of your life if you do something like this. Yeah. It's interesting to me too that this came to Capital One's attention. Capital One says on July 19th, but the GitHub poster says they saw the post on July 17th. So there's a couple of days in their variants. But essentially about a half a month, less than a half a month in which the FBI was able to track down the source and arrest her. That is not the norm. So I don't know if they had a lucky break or if she was just sloppy or what. But this is a much better scenario than we usually have where we have no idea who took it. And there's no question that it's out on the Internet in the wild. Yeah. I would like to see more people with hacking incentives redirected towards programs like they have in Europe that kind of teach them how to use their hacking for good. Buck bounties are good for helping direct that sort of energy in the right directions. And it's always easy to point fingers at the internal infrastructure and say, you should have caught it. But it is a wake up call that, hey, if you can secure your credit card and number information, which most of these companies do, you need to figure out how to make it happen that you spend the time and money to secure the other personal information because this is going to continue to happen otherwise. Capital one, just a quick mention, they are kind of downplaying the information that was possibly exposed in this data breach by saying the credit card numbers were not exposed, but the other data was. However, that data that was exposed is enough for somebody to social engineer their way into some identity theft. So if you take that into considerations, still something that should be taken seriously. Yeah, no, absolutely. Like, hey, it's great that you properly protected your credit card information. I wish you would have protected the rest of the information too. Exactly. Well, unsurprisingly, the Capital One story was a big one in our subreddit today. You can submit stories that you know we should cover on our show and also vote on other stories that are submitted at dailytechnewshow.reddit.com. We're also on Facebook. We've got a group there, facebook.com slash groups slash dailytechnewshow. Let's check out the mailbag. Let's do it. This one comes in from Max who says, all right, I'm not a quantum physicist, but I am a security professional and I've hung out with some very smart people at the University of Waterloo working on quantum cryptography and quantum key exchanges. From my dumb questions to these smart people, the way I understand that it works is because light travels so fast, you have to transmit a stream of the same qubit for the receiver to capture the intended qubit. You probably store the stream captured to do time decision multiplexing to find the next qubit that we were talking about. How is some of this stuff happening faster than the speed of light? Yeah. Well, it's not happening faster than the speed of light, but you would ask why are phonons better than photons because, hey, speed of light, right? And from what he's saying, it sounds like because light travels so fast is the problem because you have to, you have a harder time reading it. It seems like. Thank you, Max, for talking to the quantum physicist for us and passing this along. Still would love to hear from a quantum physicist. I know you're out there. If you can figure out how to explain it to us, that'd be great. But in the meantime, thank you, Max. Really appreciate that. Thank you, Max. And also thanks to Shannon Morse for being with us two Tuesdays in a row. We should be so lucky to have you again next Tuesday. Let folks know where they can keep up with your work in the meantime. You're so sweet, Sarah. I just announced a really exciting special offer over on my Patreon. It's patreon.com slash threat wire, where I'm sending out personalized video. Thank you messages to anybody that signs up at any of the tier levels. And if you're interested in what threat wire is all about, I just talked about everything. You probably need to know about the Equifax hack and how you can actually get some money back if you were affected. So definitely check out my newest video over there. That is true. Patreon.com slash threat wire. Also, folks, if you're a patron, you got Shannon in your box this morning with a special threat wire cross post about the, I can't remember his real name now. Marcus Hutchins. Yeah, about malware tech. If you want to find that, go to patreon.com slash DTNS. Our email addresses feedback at dailytechnewshow.com. We love getting your feedback. Keep it coming. We're also live Monday through Friday at 4.30 p.m. Eastern. That's 2030 UTC. Find out more. Tell a friend dailytechnewshow.com slash live. Back tomorrow with Scott Johnson. Talk to you then. This show is part of the Frog Pants Network. Get more at frogpants.com.