 Coming up on DTNST, Microsoft declares war on Reply All. PepsiCo wants to sell you snacks directly online. And Charlotte Henry's here to help us understand the whole UK virus app mess. This is the Daily Tech News for May 11th, 2020. It's a Monday here in Los Angeles. I'm Tom Merritt. And from Studio Redwood, it's also Monday. I'm Sarah Lane. And I'm Roger Chang, the show's producer. As I mentioned, associate editor from the Mac Observer Charlotte. Henry is with us from the UK. Welcome, Charlotte. Hello, thanks for having me. Yes, hello from Lockdown London. We were just talking about what kind of live sports you can watch, given that most sports are canceled right now. That was on Good Day. Internet, KBO, Belarusian soccer. Get that conversation, become a member at patreon.com slash DTNS. Let's start with a few tech things you should know. Spotify rolled out a beta of group sessions, which lets premium users share music controls with those nearby. A host generates a scannable Spotify code within the app, then provides guests with playback controls and the ability to edit and add songs to the song queue. So it's sort of like, we're all the DJ together. There's no listed limit on the number of users in a group session, and a session ends after an hour of inactivity. Twitter announced it'll add label to mark tweets with misleading information on COVID-19. The label will link to a Twitter curated page or an external trusted source to provide information about the misleading claims. Tweets will be ranked by on a propensity of harm scale with disputed claims or misleading information deemed moderate, receiving the label while those judged severe will receive a warning or removal. I can't wait for people to start arguing about how harmful a tweet was and what label should have been given. Qualcomm announced the Stamp Dragon 768G system on a chip. It's second 5G integrated chipset and a higher clocked successor to its Snapdragon 765G with 15% faster CPU and GPU performance. The chipset also includes support for updates to GPU drivers through the Google Play Store and Bluetooth 5.2 with support for low-energy audio. Google confirmed it's rolling out support for up to 32 participants on Google Duo video calls. That's up from 12. The beta version of the WhatsApp desktop app added a Facebook Messenger room's shortcut letting up to 50 people join a virtual room there within the desktop app or the web version. Sony announced on May 10th that it temporarily closed the PlayStation Store in China to perform a system security upgrade. Now, the company didn't specify a reopening date or give much else detail, but it's unclear if the update is related to a recently disclosed backdoor that could allow Chinese PlayStation users to switch to overseas services and then download unlicensed games. Mount Sinai Hospital is working with Google to integrate Nest cameras into hundreds of COVID-19 patient rooms. Most rooms use two Nest cams, one to monitor and communicate with patients and the other to monitor the vitals. Livestream Video is sent to a purpose-built console at Nurses Stations. The solution was developed over several weeks to ensure HIPAA and other regulatory compliance with Google itself not having access to any of the data. Benefits include limiting frontline healthcare worker exposure, saving some time and conserving personal protective equipment. Google plans to provide 10,000 Nest cams with monitoring consoles to hospitals across the United States. DEFCON organizers announced that the annual Las Vegas conference that takes place in August is canceled this year. And yes, it's not a joke. It's really canceled due to uncertainty about the COVID-19 pandemic. Black Hat, which precedes DEFCON each year, is also canceled. Now both will host online conferences instead, including research talks and social events. Founder Jeff Moss, aka The Dark Tangent, said in a forum post that the 28th DEFCON will be known as Safe Mode. I like that. And finally, for the 10 of you who really, really, really care, the subscription email app, Newton Mail, part of the now defunct, essential, was scheduled for a shutdown on April 30th, but the app has a new lease on life after being purchased by product designer, Matrix Kataria, and a so-friendly design agency founder, Justin Mitchell. The two said their fans of the app will support all existing Newton Mail apps and keep pricing at $50 a year. This marks the third ownership change for Newton Mail since 2018, and the new owners pledge that if the business fails again, they'll open source Newton and find a way for self-hosted servers to support the product indefinitely. So good news for the Newton users. All right, let's talk a little bit more about chips being made in the United States. Yeah, maybe. The Wall Street Journal's sources say that White House officials are in talks with Intel and TSMC to build chip foundries within the US as well as with Samsung to expand contract manufacturing operations in the US to more advanced silicon. A letter obtained by the Wall Street Journal from Intel CEO Bob Swan to the Department of Defense said that the company would be willing to build a commercial foundry in partnership with the Pentagon. Now Intel currently has US-based foundries to create its own chips, but the proposed facilities would also serve third-party clients. TSMC has supposedly been in talks with the US government and Apple about a US factory. Spokesperson for TSMC, Locoi, said that the company has no concrete plans but that it's always open to building fabs overseas. They just didn't want to talk about it in public. I'm guessing they're probably having talks and there's just nothing to announce that makes sense. The other important thing to remember here is Intel does make chips in the United States. And so I'm sure if I were Intel's Bob Swan and the government came and said, hey, we'd like to give you some money to make more chips in the US, I'd be like, great, sign me up. I'll take some government money. Not a problem. This is not going to affect Foxconn, Wistron. It's not going to immediately change where chips are manufactured for things, but it could be a more direct supply line for chips to the Pentagon for military uses. So there may be some validity to it. Charlotte from outside the US, how does this strike you? Yeah, I think you're right. I think in general, as we sort of move through the different phase of this pandemic as well, we're gonna start to see a lot of products start to be manufactured in different places and supply chains perhaps become less dependent on China or any individual location. I think we'll see that for all sorts of tech products. We saw Apple did pretty well in its last earnings call, but a lot of that was backed up by services and stuff that had been built before that so that the supply chain from China wasn't particularly held up. And so it makes sense that something is vital to these tech products as chips would be moved to different locations. That makes sense to me. And I noticed as well, when Sarah was describing and talking about the different companies that this was gonna apply to, a lot of them do make products of different kinds in the US already. There are Apple manufacturing and development parts and all sorts of things in America already. So it's not such a huge leap for these companies. And in particular, Intel already makes chips here. So it would just be making more chips here. So that's an easy one. That's in particular, but a lot of the other companies, Sarah and I do have production facilities and various kinds in the... Yeah, it seems like a story that people jump on and go, ooh, look, the tide's turning. Things are really gonna change. It's like, well, sure, there might be some expansion that can be done. Doesn't sound like anything is inked, or if it is, we don't know about it yet. And this has already kind of been happening with certain companies. And it will take a long time anyway. Exactly, that's the thing to know about this, is even if this does lead to something more significant down the road, it's gonna be a while. This is not something that's gonna happen right away. Intel and Microsoft released details on a new malware detection project called Stamina, which stands for Static Malware as Image Network Analysis. That's gotta be a backer now. This project takes a binary input file and converts it into a stream of raw pixel data with black or white pixels representing the binary values of one or zero. This one-dimensional stream of pixels has then turned into a 2D image by assigning a width based on the overall pixel file size. And then that image, and this is the key part, if you're like, why would they do this? The image is then resized down to save computational resources. And a pre-trained deep neural network trained on 2.2 million infected portable executable files scans the images and is able to achieve 99.07% accuracy in identifying and classifying malware. That's not that great really for practical purposes, but for demonstration purposes, it's quite impressive. There's a 2.58% false positive rate there as well. Microsoft said the system works best with smaller files so you could limit it to just doing smaller files and potentially have an even better performance rate. And then you've got something that could practically be put on a client because Microsoft's doing a lot of client-side neural networks right now. Yeah, I mean, I guess my initial question was, okay, so the idea of converting it to some sort of an image format is how you're going to make it much smaller of a file that can then be, you know, you can run it through the process along with lots of other millions of small image files and figure out if there's an issue. I don't know, 99.07% isn't 100, but it is promising, at least in early tests. No, but yeah, yeah. No, it's like I said, it's good for a demo. Probably you'd want higher, an enterprise certainly would want a higher percentage in practice. And yeah, you hit on it. One of the things is performance because you can resize the image. So it's actually, you can actually get through more than if you were looking at the raw files. And also we already have deep neural networks trained on image recognition. So you can use a lot of existing code to process this without having to rebuild it from scratch. I suspect the false positive rate is also going to put off enterprise at this stage. To, you know, best part, 2.6% is far too high for a big enterprise network that needs to, you know, cannot be dealing with major malware outbreaks. That's far too high. And also, because you can't disrupt a business for something that might not be a problem as well. Yeah, yeah. And that's why Microsoft's like, well, the smaller files, we might be able to get it into an acceptable range. And then, yeah, you're not meant to be scanning all the possible files. You can separate it by mime type and that sort of thing. Could be something there though. And it's a really ingenious, cool thing separate from what it could actually do. Something that also might be cool depending on where you work or who you email with. Microsoft began rolling out a Reply All Protection feature for Office 365 and Exchange Online called Reply All Storm Protection. It's exactly what it sounds like. Designed for larger organizations, the feature will detect 10 Reply All emails to over 5,000 recipients within 60 minutes and be like, uh-oh, we've got a problem. Once triggered, users won't be able to reply all to the thread for four hours. They'll also receive a notification that the conversation is too busy with too many people. Then users will still be able to reply or forward to a smaller number of participants. They really have to, but it will make them think twice. I'm so here for this. I know. To be honest, as you're going through this, I'm just having Reply All PTSD, but I'm basically anything that makes Reply All less horrendous for all involved, I'm very here for. I mean, I agree with you, but it's how many 5,000 recipient Reply All's have you been on? I haven't been on any that are 5,000. Yeah, I don't think I've ever gotten that I've ever been on anything with that many folks, but even 500, that has happened. It gets unwieldy pretty quickly. And the whole point with the story is Microsoft is like, this can bring down operational servers. This can actually really impact your day just because people are like, why am I on this thread? And then 100 other people do that at the same moment. Yeah, there's two different elements to that, isn't it? One is keeping the show on the road and the other is just the horror of being in a never ending Reply All storm and to end the latter one, which in terms of IT functionality is not that important, you probably would have to limit this to like five or 10 people even, but because this is obviously focused on enterprise, on big business, on making sure servers don't fall over, you can see why they've set the threshold quite high. And also you don't want it to be, you're a startup having big conversations and you need to, all the staff need to be involved in this conversation, suddenly you're blocked from doing that. Yeah, this is not gonna stop Daryl from annoyingly replying to the daily update, but it will keep your actual email system running should 500 Daryls reply to the 5,000. Daryl means well, he just is enthusiastic. Yeah, or if he possibly is an energy vampire, one of the two. Eindhoven University of Technology researcher, Bjorn Reutenberg demonstrated something he calls Thunder Spy, a vulnerability on some Windows and Linux PCs made before 2019. Thunder Spy bypasses Thunderbolt's security levels feature or forces a Thunderbolt port to only use USB connectivity, which then allows direct memory access, which then can allow you to do all kinds of crazy stuff. Thunder Spy does require physical access to the Thunderbolt controller. So this is not something that will happen to you over the internet. Usually what happens is, the scenario is usually you left your laptop in your hotel room, someone gets access to your room, removes your computer's backplate, attaches an SPI programmer device, flashes your firmware to change the security state on Thunderbolt to none. That's the vulnerability, is that they can open up your computer and flash new firmware to your Thunderbolt controller and then you're vulnerable. Then they would take previous Thunderbolt vulnerabilities and plug something into your Thunderbolt device and hack your computer that way. The firmware update takes about two minutes. It would take another couple of minutes to plug something in and do the hack and exfiltrate the data. And if you're me, about 30 minutes to actually unscrew stuff and screw it back in, but probably professional spies are faster at that. Intel's Kernel Direct Memory Access Protection does prevent this attack, but Reutenberg points out that that feature is not yet standard. In fact, it's not supported by devices made before 2019. And a lot of major OEMs, including he calls out Dell particularly, don't appear to offer it yet. So Intel saying, this is fixed in our Intel Kernel Direct Memory Access Protection, but if your computer manufacturer doesn't support it, well then there's a little he said, she said about what needs to be done. If you're confused and you're like, I don't know if I'm vulnerable to this and I need to find out because I'm a high value target, go to thunderspy.io to check if your machine's Thunderbolt controller is vulnerable or whether you have the Direct Memory Access Protection. Most of us, in fact, I was gonna say all of us on this show don't need to worry about this. This is state level actor kind of stuff. And also it needs physical access. So I think we're all okay for the moment, but somebody has to really target you. Exactly. Yeah, but Joe here side, clearly the implications if some point before this is fixed fully, you were hit with this. It's obviously very serious. As you say, it's kind of state level, high end stuff, but it's worth noting because there's been a lot of discussion about whether or not it applies to Max and Mac OS. And it's worth noting that I think Mac OS, it doesn't work on, but if you're running Bootcamp, I have a Windows partition on your device, then you are still vulnerable to the attack. Yeah, because the vulnerability comes through Windows. Got it. Okay, that makes sense. Awesome. That's my understanding. If we've got a story up at the macobserver.com, if you wanna know a bit more from my colleague Andrew or he also links to the original paper if you're the person that wants to dig into that. But it's not like it's one of those things where Mac users can go, not our problem, because a Bootcamp partition does change things. I will add that it is a great reason to encrypt your hard drive and or data or both. Does that mitigate it though? I'm not sure if it does. They can pull data off, but if the data is encrypted, it's still encrypted. There are some thunderbolt vulnerabilities will allow them to get into the machines and bypass encryption, I think. I would be hesitant to say that encryption alone would mitigate this attack. I think I'm not contradicting Roger's good advice of encrypt your drive, but I would hesitate if you are a high value target to think encrypting your drive is all you needed to do to protect this. Cause it is direct memory access and I think there's ways to get at data, especially data in your memory that could be very valuable that wouldn't necessarily be protected by drive encryption. PepsiCo, small company, makers of walkers, potato crisps, have you? Charlotte, yeah, they're very indie. Launched websites at snacks.com and pantryshop.com to sell you PepsiCo food products directly online. If you're like Pepsi is not a drink, they sell a lot of different kinds of foods, snack foods. Snacks.com will feature more than 100 products from Frito-Lay. Pantryshop.com will feature bundles of items with themes like breakfast, family favorites and exercise. Orders are expected to arrive within two business days. Yeah, what's the exercise? It's something about like getting fit or... Well, it's probably like a slight amount of caffeine. It's called workout and recovery. So it's muscle milk and protein bars and propel the... And listen, I punish your electrolyte. Ha-ha, we laugh a little bit, but I mean, there are lots of snacks in the PepsiCo brand products that I like. I think what's really fascinating about this is it put me in the mind of the fact that all of these makers of movies and TV shows have been coming out with their own streaming services because they look at the situation online and say, ah, a lot of people want to watch online, let's cut out the middleman. Why do we need to pay a cable company? We can just give them the shows directly. And this is food companies noticing everyone buying food online right now and going, hmm, maybe we could do that too and just sell them all our brands. Do consumer people like that? Yeah, like why are we making them go to the corner store that isn't open anyway to buy our products? Yeah, and one Tom's right, it's kind of jumping the middleman. And also a lot of these companies who have some kind of food production or food distribution capability, which obviously in PepsiCo's case is huge, are adapting to help and provide different types of products for other people. Now, obviously if you're PepsiCo, you don't need to worry about that getting, I was telling you guys before the show, there's a cupcake company here in the UK, there's also now delivering fruit and vegetables and those kind of things. But obviously if you're PepsiCo, you have so much on your books, you don't need to worry about anyone else's stuff. You can just distribute your products and yeah, is it any different to the movie makers putting, making their movies available to download now that there's no movie tickets open, it's no different. Yeah, and PepsiCo, Frito Lay, so all those snacks, that's at snacks.com. And then at the pantry thing, you're talking about granola bars and granola and oatmeal and juice and all kinds of things. Home and pantry items. Yeah, exactly. Hey folks, if you wanna get all the tech headlines each day in about five minutes, be sure to subscribe to DailyTechHeadlines.com. The World Health Organization plans to launch a COVID-19 system checking app later this month targeted at under-resourced countries. That app will offer guidance about symptoms. So helping you decide like, is what I'm feeling possibly COVID-19. The WHO also plans to include a self-help guide for mental health care while you're in isolation, also looking into a proximity tracing app. That they're not launching yet, but they are considering using Apple and Google's protocol. They say that legal and privacy considerations prevented the WHO from committing to that feature, especially because the WHO wants to make one that's available worldwide. And you have so many different rules around that that they're trying to navigate. As we have seen on DTNS, we've talked about the different approaches in the United States, in France, in Germany, in Singapore, in Korea, to tracing contact and how much technology plays into that and how apps play into that. Most recently, on Friday, we mentioned that the UK not only is testing a centralized contact tracing app on the Isle of Wight, but also, apparently, according to some reports, has hired a company to create a decentralized app, in case they want to change their mind, which I think has a lot of people going, well, wait, what's going on in the UK? Are they going to do centralized? Are they doing decentralized? Why are they doing two? Charlotte, can you help us make any sense of this? I will try, I will try. So first, yes, so first things first, you were right to say it was the Isle of Wight, which is, there were particular reasons the Isle of Wight was chosen. There aren't that many cases to start with. Obviously, it's an island in and of itself, so it's quite a kind of good test space that has enough people, but not so many people. It's kind of made sense to test it there. And I think my understanding is the take-up was slow, but has now apparently, letters were instructed to send to 80,000 households on the island. I think I read that 55,000 of those people have now signed up to the app, which is pretty good because obviously the key thing about any of these contact tracing technologies is that kind of 60%, I think it was 80% of smartphone users, 60% of the general population pickup apps need to use these apps and that's what makes it effective. So you've got all that going on, that seems to have worked. People were critical of the approach. The UK had taken, there was issues, for example, particularly on iPhone, whether if it was just two iPhone together, after a certain period of time, and if they were locked, would they stop talking to each other? We're using the Bluetooth technology, Bluetooth handshakes. And there was some concern that there would, and it would need an Android device to kind of wake everybody up. So there's been a lot of debate about whether this version of the UK app was going to work. I think the government would say they need it to be centralized to make sure all the data's going to the right place and so on. My understanding was Apple was continuing to advise the UK government even when it sort of drifted away from the model that Apple, Google had proposed. But as you said, it kind of came out towards the end of last week that it looks like a second group of developers is working on a decentralized Apple, Google model. Now, you could say actually, this is rather sensible. You know, you've got one test going because we need to remember there's a lot of talk about this Apple, Google model, but it doesn't really exist yet. There's an API that has been seeded to some developers in a beta, an iOS beta. That's basically where we're at now, right? So if you want to start things rolling, doing a different way and kind of trying something else out first that may or may not work is not the worst approach to take. Yeah, in a perfect world, get together and figure out what's the best in both worlds. Right, so it's not the most disastrous decision and it's got a test going and if it doesn't work, then you are allowing yourself the option to move to the second option. Now, this is what happened in Australia, as I understand it. They were operating on a centralized model, not dissimilar to what the UK is approaching. And they did have to run updates to make sure to move it more to the Google Apple model. So I think, so there's obviously going to be a Germany flipped quite significantly before launching the app behind the kind of the big tech partnership, if you like. Yeah, it comes down to the centralized model is it is more difficult to protect privacy or at least to assure people that you're protecting privacy. With the decentralized model, you can just put the data on the device and say, it only leaves your device in very rare circumstances and we can define those very carefully and there is no centralized server that you have to trust that someone is guarding and that no one's misusing because the data is on your phone. That's the benefit of decentralized, which is why Apple and Google hilariously came up with it because they're so hammered with privacy concerns constantly that they wanted to come up with something bulletproof on the privacy side. But it means that the data is a little more limited and you can't do some of the more aggressive location tracking like what they did in Korea where they actually just went into GPS and said, all right, let's just find out where people are and text message them directly because folks are less comfortable with that in Europe and the United States and certainly not comfortable having tech companies be the ones in charge of that even though third-party advertising probably has more data than either one of these systems. Yeah, I mean, I think we can make, I think the privacy, these lack of everything in this kind of grand policy response to COVID-19, everything is a balance, right? Yeah. And for a period of time, maybe we are gonna have to accept some reduction in our internet privacy but the fact that you're using Google Maps but don't want the Google, Apple or a COVID-19 contact tracing app which I've seen people say is kind of missing the point somewhat. We know tech companies do have data now, Apple has always been pretty good at privacy and security, Google has got better, they farm a lot of data but basically they want it for themselves, they don't really want anyone else to have that data. You know, this is not Facebook, it's a very different kind of model, right? Sure. And so I can understand why those two companies came together, I also totally understand the discomfort but you know, we all need, as a world we kind of need to move forward and this is not a bad solution but the UK response has been a bit muddled, we've had NHSX which is the health services kind of digital transformation unit trying to lead on this and they clearly have now deployed a second set of developers. So it will be worth, I think they're waiting to see the results from the aisle of why and that will be the most significant thing. One, have they been, has it worked? Has it, you know, have the conversations between devices been happening as they should? And two, are they getting the right kind of data in a secure fashion and is there a take up as well? Those are going to be the things and yeah, you can bring it, I guess you can then change the model and bring it in if necessary. And as we wrap this up, I just want to emphasize all of this requires comprehensive testing availability so that you can test the people, the contacts and find out do they have it and of course manual contact tracing. This is not a replacement. This is a supplement at best. Some epidemiologists argue that manual tracing alone is really all you need and these apps may not be that helpful. That's another reason to test them and find out how helpful they may or may not be. Well, if you want to be helpful you can join in your peers in the conversation in our Discord which you can link to by, we can join anyway, by linking to a Patreon account at patreon.com slash dtnfs. Let's check out the mailbag. Oh, let's. Byron in Los Angeles says, when Patrick on Friday show mentioned moving Tom's old DLP TV, I got a warm fuzzy feeling inside. I've always had a soft spot in my heart for DLP technology and as a matter of fact, I am still to this day using a Mitsubishi 60 inch DLP TV in our living room that I bought way back in 2009 when I got the white dots of death. Years ago, Mitsubishi sent a tech out and replaced the DLP chip for free and I'm only on my second bulb of this set's life. So major kudos to Mitsubishi for standing behind their product that's still going strong for 11 years. Of course, now that I've said that it'll probably fail tomorrow but such is the life of tech, sigh. Thank you Byron. Yeah, you had better luck with your DLP. Mine got the white dot and it could not be revived and it sat in CNET for a while before I finally found a place to recycle it at. I did a video on how to try to re-solder a chip with it. So it's great to hear that yours is still going. That's amazing. Yeah, yeah, I know how it is to be like, it's old, but I love it. I just want it to keep working forever. Hey, shout out to Patience at our master and grandmaster levels. You'll keep working forever, we're sure of it. Martin James, Bjorn Andre and Tim Ashman. Also thanks to Charlotte Henry, the beginning of a fun filled week, I'm sure. Charlotte, where can people keep up with your work? Yes, yes, we're gonna have a great week team. Let's go and win positivity. I'm obviously at themacobserver.com every day and at Charlotte A. Henry on the Twitters, if you wanna say hi. And folks, if you can and if you can't, it's fine but if you can support us and you wanna make sure we keep doing this kind of technology coverage for you, there's a great way to do it directly. Cut out the middleman, dailytechnewshow.com slash Patreon. You can support us for as little as $2 a month, that's 10 cents an episode and get a few perks and extra bits of content along with it. That's dailytechnewshow.com slash Patreon. If you've got feedback for us, our email address is feedback at dailytechnewshow.com. Keep it coming, we love to hear from you. Also we're live Monday through Friday for 30 p.m. Eastern, 2030 UTC. Put it on your calendar, join us to find out more at dailytechnewshow.com slash live. Back tomorrow with Patrick Beja, talk to you then. This show is part of the Frog Pants Network. Get more at frogpants.com. Hope you have enjoyed this program.