 Skip Birchette has supported independent tech news directly for five years. Be Like Skip! Become a DTNS member at patreon.com slash DTNS. This is the Daily Tech News for Friday, June 28th, 2019 in Los Angeles. I'm Tom Merritt. And from Studio Feline, I'm Sarah Lane. And from Sailor Snub Studio, I'm Shannon Morse from Threat Wire. And I'm the show's producer and slightly sweaty Roger Chen. We are going to chat with Shannon about some of these ransomware attacks you may have been hearing about where cities are actually paying up. Is that the new trend? Short answer, Shannon, is probably yes, right? But we'll tell you why in just a few minutes. Let's start with a few tech things you should know. EA Access will launch on the PlayStation 4 on July 24th. The service has been available on Xbox One for about five years and gives players access to Electronic Arts' Library of Games. The subscription service is $4.99 per month. And subscribers also get access to pre-launched trials and a 10 percent discount on EA digital purchases. Apple will begin selling the One Drop Blood Glucose Monitor in select retail stores. The device takes blood glucose readings and syncs to the Health App on an iPhone or Apple Watch. The device sells for $70 at Apple stores and includes a year of coaching from a certified diabetes educator. One Drop devices have previously been available through Apple's online store. The Wall Street Journal reports that the new Mac Pro that Apple unveiled at WWDC earlier this month will be assembled by Quanta Computer at a factory near Shanghai, China. This is interesting because since 2013, the Mac Pro has been manufactured in Texas and was Apple's only major hardware product manufactured in the US with all others assembled by Chinese contractors. Quanta also manufactures the Apple Watch. All right, let's talk a little more about what happened yesterday. We mentioned because it broke during Thursday's DTNS that Apple announced its head of design, Johnny Ive, is leaving the company, not just leaving the white room he's been imprisoned there for 20 years. I plans to start his own design firm called Love From, along with fellow Apple designer Mark Newsom, which will, of course, have Apple as a client. How cool is that? You got a built-in solid client right from the start. I think he'll make a go of this. Going forward, VP of Industrial Design, Evans Hankey and VP of Human Interface Design, Alan Dye, will report directly to the Chief Operating Officer at Apple, Jeff Williams. They used to report to Johnny Ive. Also, Apple announced that Sabi Khan has been promoted to Senior Vice President of Operations and the executive team. I think this may be one of the first times, certainly rare for an SVP, not a not a full C-level officer to get on to the executive team. And Khan will also report to Williams, the idea of taking some of the operations pressure off Williams by having Khan be on the executive team for that, giving Williams a little more ability to focus on the design stuff from Evans and Dye. Ive, Johnny Ive, designed the Apple Park, the new campus, which will be his last big Apple design as an employee. He's also been working on some of the retail stuff, but the Apple Park's really his piece de resistance, right? He has been away from day to day work. Ive handed off day to day ops in 2015 so that he could spend more time in the UK with his family. So this shouldn't be too much of a shock. He's also been dabbling in things outside of Apple products. He designed a Christmas tree for a London hotel in 2016. He designed a ring made entirely of diamonds in 2018. He contributed to the design of Kylo Ren's Lightsaber. And if you're wondering, OK, so these two designers that are now the top ranking designers at Apple with Johnny Ive leaving, Evans Hankey has been running day to day industrial design for a while. She has given a lot of the credit for more recent designs. And Alan Dye has been running Human Interface, your software designs since iOS 7. So these are not inexperienced hands. And it doesn't seem to me, Sarah, that losing Johnny Ive loses more than a visionary presence and the idea is because Apple will be a client, he can still sort of lend that advice and that consulting still. Yeah, I mean, as as several publications, Mark Gurman over at Bloomberg being one of them said, listen, after the Apple Watch, I've at, you know, for anybody who was familiar with his day to day had had already stepped away. Four years after that, this being the case, not a huge surprise. And then you've got the folks who are like, end of an era. This was, you know, it's Johnny Ive, right? You know, he was a force of nature in the design of Apple products for for quite some time. And then he got the folks who were like, well, is it weird that the people who will be succeeding Ive in, you know, as far as day to day operations, at least, you know, on paper, if they haven't already to be reporting to the operations guy, you know, is, you know, the head of design has not been replaced. We've had a little bit of a shake up going on in management here. Does that spell anything good or bad for the future of Apple design? Renee Ritchie pointed out that Apple very rarely promotes people into their executive team without making them prove themselves quite a bit. So it may be that having these two report to Williams is a way for Cook to evaluate which of them ought to get the gig at some point, let them prove themselves a little before they do that. Shannon, I'm curious, you know, as an Android user, what this all looks like to you. Yeah, you know, I was reading up on this and I am an Android user. So take my opinions with a grain of salt, of course. But it was interesting to me that so many people were calling Johnny Ive, you know, the soul of the design of Apple for such a long time because he has been around since I believe it was 1998. Yeah, it's been a very long time. So I feel like from a consumer standpoint, we're not going to see much of a huge difference, especially since he's already pulled back so much in the past four years. You know, he took took so much away after, you know, 2015. And a lot of people have already been, you know, well, maybe not took so much away is the perfect terminology for that. But he stepped away in 2015. So other people have already been stepping in to replace those design aspects. So I think that a lot of people aren't really going to notice a change as far as, you know, when they're purchasing their products and everything. And I also worry that maybe that takes a little bit away from the people that are going to be replacing him. You know, I feel like they're also going to be really influential in the design steps. So maybe he's not necessarily the soul of the design of Apple, but he was one of the generations of the design of Apple. Well, you hear to this day, you hear that. Well, Steve Jobs was still around. Boy, you know, that quarter would have been better. So I wonder how in the design specific aspect of Apple going forward, if there are perceived missteps or or, you know, products that people don't like or wish were different, we're going to hear a lot of that. Well, Johnny, I were still around. However, if he's if he's legitimately working for his own consultation firm and Apple's a client, maybe this is all for not. Maybe, you know, life goes on somewhat as normal for the rest of us. Yeah, my take is this seems to be a smooth transition of where Johnny Ive already was, which was less and less involvement in the day to day, more and more consultation, lending his brilliance where where he could. And he'll continue to do that just from outside the company as a client and give him some more freedom to be with his family in the UK and do more Christmas trees or whatever. Do you want to talk about Google? Yes, please. Recapsha's latest version, which Google launched last fall, is invisible to users and it's now used on more than 650,000 websites. Google now analyzes the way users navigate a site and signs them a risk score based on how malicious their behavior might be. So if a user with a high risk score logs into a site, Recapsha can prompt a two factor authentication check, for example. But according to Muhammad Akrout, a computer science PhD student at the University of Toronto, recapsha simulations that ran on a browser with a connected Google account received lower risk scores than browsers without a connected Google account or ones using Tor or VPN. So this has led to some critics of recapsha to point out that privacy suffers as a result of the tool working effectively. And I have to say, I think I agree with the critics. It's it's kind of it's taking away some of the efficiency as far as I feel with my security and privacy when if I'm logged into a Google account, you think that I'm a better human than if I'm not logged into any account and I'm using VPN for my own security or privacy. And you think that I must be a bot if I'm using that. Yeah, I mean, it doesn't mean that you must be a bot, but they it'll be easier to prove you're a not if you're if you're logged in. And that seems like a legitimate signal, right? Like, oh, this person's logged in, they've gone through authentication. They're probably not a bot then, right? I think the important part of this is that it's about how much you trust Google. If you're logged in to Google on your browser, they can already spy on every site you go to. They didn't need to get sites to add, capture, recapture and look at the cookies here. And so it's a matter of trust. Do you trust when Google says, no, we won't be using this aspect of recapture to target ads at you. If you trust them when they say that, then I don't think there's that much to worry about here. If you don't, then there's a lot to worry about there because then they are tracking you without your permission. But they're saying they're not. So now Google did Google did reach out to fast company after fast company asked them for a quote, and they did say they would not clarify what they do with the data it captures with regards to user behavior via the recapture, only that it is used for improving recapture and general security purposes. So we don't necessarily know specifically they will not use it for ad targeting. What they didn't want to say is how they manipulate the data because they don't want to give away to the bad actors ways that they could get around the bot detection. Right. I just hope that like if I am using a VPN, even if I am connected to my Google account or maybe I'm not logged in, that it doesn't keep me from being able to get into a website. Hopefully I still have two factor authentication available to me after going through that, you know, in the invisible recapture so that I can still access what I need to access because I would hate to be able to or I would hate to get turned away from a website whenever I'm trying to use my own security precautions just because I'm not using a Google account. The idea here is that it's it's looking at your mouse behavior if you're not logged into Google and determining oh, that looks like normal human mouse behavior. So you should be fine. Good. The login to Google thing is just a way to simplify it and go, oh, well, that's really obvious that this is a real person. Right. Or you might just get one more like, just make sure you're a human type thing rather than being turned. If your mouse behavior doesn't fit. Yeah. Yeah. According to NPR, Connie Monsi's Hi, Connie told ABC News Start Here podcast about how Google Maps navigated about 100 drivers into a muddy dirt road. You might say, what in the heck? All right, we'll tell you Monsi's was stuck in traffic on the way to the Denver Airport. If you've ever been to that airport, I won't even start. Monsi's followed Google Maps advice to exit to get around the backup. There was a backup ended up on a dirt road, which recent rains had turned into mud causing many of the cars to get stuck couldn't get out of there. Monsi's had a four wheel drive car and was able to take two other people whose cars were stuck with her. Google said the road was not marked private. And while it does account for road size, quote, issues can arise due to unforeseen circumstances, such as when weather conditions affect the quality of roads. This is just a simple limit to how smart these navigation systems are. They can't tell that a road is muddy and wet. Yeah. So on a on a dry day, this would have been a great shortcut and everybody would have been sick. Because they're like, oh, man, we totally cut her out. All that backup going into Denver Airport. This is amazing. But, you know, there's another factor that navigation needs to account for, which is weather. Yep. I've had a similar experience with Google Maps in Japan. Actually, I was driving to a cave in the middle of nowhere and they took me down a dirt path, which was only one lane in between farmland. And it looked like a private access road. It was just dirt. It didn't even look like a road. But it took me off the highway to get there, which it supposed was a lot faster than just staying on the highway. Makes sense, because there was some construction on the highway that day. But it was also very confusing. And since I was in a country in which I did not understand the language proficiently, I was not seriously like OK with that. I was a little concerned. So I think if I was all by myself that day, I would have been even more concerned with the issue. But luckily, the weather wasn't that bad. Right. Yeah. Yeah, exactly. You don't have to go where the nav tells you. No, you don't. Well, and it's somebody who uses ways more and more, which relies a lot on feedback from other ways users, which is part of why the the network is so robust. And most of the time, helpful. I have gone into pickles here and there where something has happened. And I just sort of assume that somebody maybe before me had reported it. But maybe I'm the first person who saw it type thing. And it is a barrier that I should have gone around. So, you know, I don't know, I feel like we should all just understand our maps a little bit better just in case. It's not a perfect system. Yeah. So, ladies and gentlemen, do not drive into the lake, even if it tells you to. Well, let it go reports that at a National Security Council meeting on Wednesday, officials discussed a strategy on encryption. A source told Politico the two pass were to either put out a statement or a general position on encryption and say that they would continue to work on a solution or to ask Congress for legislation. A decision was not made at the meeting. Please don't ask Congress for legislation to weaken encryption and put in a backdoor. Please, please don't make us do this debate again. It's just, I don't know, Shannon, I'll let you I'll let you take this one because I think I'm exhausted on it. Well, the timing on this is really interesting because I just read a story the other day about how Cloud Flare is really actively trying to push for better encryption standards because quantum computing is continually making the access to being able to decrypt encryption so much more readily available and less expensive, too. So the fact that they're saying they really want to create some kind of legislation to disallow, you know, Silicon Valley and tech companies from having stronger encryption, I feel like it's just not going to work because technology is in this rat race where we're continually getting better and better encryption, even if quantum computing is a thing. So what's what's the point of trying to legislate this? There's always going to be pushback. Yeah, I mean, what they want is a backdoor. They don't care about strengthening encryption. They want a weakened encryption. So hearing the quantum computers might make it easier to break encryption is good news to folks who want to put in a backdoor because they're like, oh, well, maybe we could use quantum computers then. And I think that's your point, right? Your point's a good one, which is we don't need backdoors. We need to continually protect people's information, both ours and others. Because if you haven't heard us go through the argument, there's plenty of examples of it in DTNS. But when you weaken encryption for a good reason like law enforcement, you weaken it for everybody who has a bad reason like the bad guys. And that's just it's just not a solution. Exactly. Yep, that's always been the argument and it always will be. Nielsen's mid-year music report showed an increase in streaming music of thirty one point six percent over the first half of last year to a record five hundred seven point seven billion streams, though it was a slower growth rate than previous years. So streaming still growing, setting records, but it's slowing down. We're starting to see some saturation. Though it was slower growth rate the previous years, Nielsen attributes the success to singles from Ariana Grande, Billie Eilish, Halsey, Khaled, BTS, Lil Nas X, Bad Bunny, among others. The report also noted the impact of TikTok and its five hundred million worldwide monthly users. TikTok is often attributed to Lil Nas X's Old Town Road success, which is the most consumed on demand song of the year so far with one point three billion streams. Nielsen also notes video streams of music are growing faster than audio. Video streaming up thirty nine point six percent. Audio streaming up twenty seven point eight percent. Physical album sales, digital album sales, digital track sales, even vinyl sales all decreased and vinyl had been bucking that trend for years. Yeah, this it very much points to especially the Lil Nas X on TikTok, which is it's it's an extreme case, right, of of gaining popularity. But how artists who will trend on more traditional lists, Billboard top ten or, you know, top 100 or a variety of variety of things like that are going to become part of these lists from apps that didn't exist five years ago. And, you know, I look at the I look at the area on a grand day, sure, I know her. Bad Bunny had to look him up. Khaled learned about him recently, actually on DTNS, doing research for another music story that, you know, we covered more and more. There are artists that are rocketing to stardom from these areas that they just didn't exist five, ten years ago. And the rest of us are trying to figure out, OK, well, you know, music streaming and and the music streaming services, Apple Music, Spotify and and the others like that still still kind of the old guard compared to something like TikTok, which rocketed out of nowhere very recently. And especially in markets, certainly outside of ours. Mm hmm. I think it's not listed on this list that we have in this tech crunch story, but K-pop is a great example as well, because we've been hearing about them so much on social media lately. I just mentioned BTS. I just mentioned BTS. Yeah. And it's because of streaming platforms. It's because of the availability. It's because of that fandom and the stands and everything like that. Like, that's the reason why they're getting so big. So I love it. BTS was on SNL recently, right? So I don't know why. And I did not know that it was like one of the highest rated SNLs because of the musical act, which usually kind of takes a backseat to everything else. And yeah, it was it was one of those moments where you saw a lot of think pieces like what's going on? You know, who's this? And there there are many, quote unquote, unconventional ways that that artists are are are hitting really hard in markets besides their own that I find very interesting in this whole conversation. Well, folks, if you want to get all the tech headlines each day in about five minutes, you don't need to shed blood, sweat and tears. Just make it right by subscribing to DailyTechHeadlines.com on this spring day. All right, Mary Meeker back in June said in her trends report that crypto extortion and ransomware are all getting faster and more targeted towards sensitive data. And we are seeing examples of that back in March. Jackson County, Georgia paid $400,000 to regain access to files. Last week, Riviera City, Florida agreed to pay 65 bitcoins worth about $600,000 to get back its files. Monday, the administration of Lake City, Florida voted to pay 42 bitcoins worth of about $500,000 to decrypt data from its systems that have been down since June 10th, at least in fire on separate networks weren't affected, but almost everything else in the city was. Previous victims this year include Lynn, Massachusetts, Cardersville, Georgia, Baltimore, Maryland, a hospital there, just to name a few. South Korean web hosting firm Internet Niana paid a $1.3 billion won. That's about $1.14 million worth of bitcoins to a hacker following a ransomware attack in June 2017. And Forrester Research has even issued best practices to cities saying they should invest in cybersecurity and business interruption, insurance, benchmark the ability to recover from backups at scale because backups is one of your best defenses against this. Plan how you would acquire and pay out cryptocurrency because paying the ransom in Bitcoin, which is usually what they want, is becoming a viable option for cities at this point. They also recommend putting a cybersecurity response team on retainer and hiring a ransomware expert. I think the thing that surprises me the most is that it is now becoming the norm to say, well, you know, paying the fine, paying the the ransom might be an option. It's somewhat scary to me to think about the fact that paying a ransom is becoming the norm. And that's why I wanted to discuss the story is because we're seeing so many more ransomware infections, not only in cities, but also in private companies like ICS's, industrial control systems. We're seeing the same thing happen with, you know, hospitals like you had mentioned in that one city. So the prevalence of ransomware is becoming so huge, especially this year that it's becoming a very, very serious threat. And I believe that Black Hat attackers are seeing this as a very, very viable option to make a lot of money really fast. And the fact that these cities are paying out or they are coming up with an agreement, they're negotiating a deal with attackers says a lot about, you know, how long it takes to, you know, get your backups back up and running if you did have backups in the first place. And it talks a lot about how we are not preventing these incidents in ways that we really should be as cities, as governments and ICS's, because they are indeed having to pay these ransom so we really need to start considering like all the different options that we have. So maybe you don't end up having to pay the ransom, but you do end up having something in protection in the first place so you don't even get that infection in the first place because that is a lot of money. I believe one of the attacks happened at one of the cities who said it would have ended up costing less for them to get the backups than it did costing them to pay the ransom. It ends up being a very, very big expense in the long run. And who's going to pay for that? Especially if it's a city or a government, it's going to end up being, you know, your taxes or whatever or some kind of loan from the government. So it's it's a big problem and it's something that we seriously need to handle. Yeah, I think it was like city Florida where the insurance company was contacted by the purveyors of the malware because they knew that the insurance company would be paying out. That can be a reason why a city might want to pay the ransom, because if you've got insurance that covers that, then you don't have to pay it. Whereas fixing the system and restoring from backup, you have to pay for, right? So there may be a line item where, well, it would be cheaper to fix it ourselves, but it would come out of our budget. Whereas if we pay the ransom that comes out of insurance and our budget stays stays cleaner, although it probably is going to raise your premiums. Right. This is becoming a complex issue and a fact of life. And just the reports that you're having cities pay the ransom to get their stuff back is going to encourage more malicious organizations to try this sort of thing. And I can understand why they would want to get up and running so much faster instead of just trying to, you know, find their own decryption key and figuring it out themselves. They would rather pay that ransom because when your city is down for two, three weeks, you can't do anything. You can't collect profits from the DMV. You can't do anything. You can't, you know, get payments coming in. You can't deal with day to day work. There's so much that you just would not be able to do. So it completely makes sense that they would want to pay that ransom. But at the same time, it's creating this effect that other attackers are going to start turning to ransomware. And we're going to see this happen a lot more often. At least that's what I believe. And Lake City, Florida responded in 10 minutes. They they noticed this attack happening and cut it off, but it was too late. They these things happen incredibly fast. And they often happen in multiple points because they're usually spearfishing attacks. So if you have 15 employees all opening the attachment at the same time, that that makes it even worse. Exactly. Yeah, I was going to mention how if you have some kind of pivot point within a network and that ransomware is already in there, it doesn't matter how soon you turn it off after you've gotten one computer infected, you're going to get the infection in your network if it's already in there. And that's the problem with these kind of infections is once it's there, it's pretty much a set deal that you're going to have to deal with this and your network is going to go offline. So preventing it before it happens with, you know, having that cybersecurity incident response team ready to go on hand so that you can call them immediately or having somebody come in like a penetration testing team way in advance and running a report for you. So you'd understand what kind of issues you might run into can be very, very valuable in the long run and will save you a lot of money. Yeah, because once that data is encrypted, I mean, they can encrypt it real fast. And once it is encrypted, right? Well, thanks to everybody who participates in our subreddit stories like these and others always appreciated. You can submit stories and vote on them at dailytechnewshow.reddit.com or you can join our Facebook group and do the same. Facebook.com slash groups slash dailytechnewshow. Sarah, is that the mailbag? It is. I believe you knew that. It's like you're reading my mind. Derek in Japan wanted to throw in a few thoughts on our discussion yesterday about advertising, especially whether or not apps are listening to us and then serving us as a result. Derek says there is not an option on Facebook or Instagram to target anyone based on their conversation. That being said, plenty of companies collect all sorts of data to build audience profiles to allow advertisers to target them based on their interests and behaviors, et cetera. They can even build look-alike models from verified audiences to find new consumers. As these platforms and algorithms get more accurate, advertisers can get more precise or even more predictive with targeting, making it feel like publishers or platforms are secretly reading people's minds or listening in on their conversations. The truth is probably not any less unsettling. But I can say there isn't an option on Facebook to target people who've chatted about TSA experiences or Taylor Dane videos, at least not yet. And I kind of made that point yesterday, right? Like there there is definitely some there's some data gathering that gets close enough to seem almost like they're reading your mind. And I think that's the point that Derek is making. But but then, you know, when you've got third parties that are actually listening to you, that's a whole other ballgame. The any any sufficiently advanced data targeting is indistinguishable from surveillance. Kind of, yeah. Because because, yeah, I think what's going on with those apps we talked about yesterday is they might listen for target keywords, attach that to your profile, take that profile and then say, OK, this this profile is attached to these elements and then then go buy ads to a target those elements and then happen to target you, right? I mean, it's coincidence that they found you. Well, and maybe one out of every 20 of those, you're like, wait a second. Yeah, right. I never wrote that down anywhere. You know, like that sort of thing, but you're not really understanding the way that, you know, it's trying to do that every time. It's a let me live by my conspiracy theory. Don't take your tinfoil hat off on our account. No, please, please, please. Speaking of your tinfoil hat, Shannon, we're taking it off, either one. Let folks know of all the fabulous work you're doing and how they can keep up with it. Yeah, absolutely. So I have gone pretty much full time on my personal YouTube channel. It's youtube.com slash Shannon Morse, where I do travel vlogs and I do technology reviews. I recently did my 2019 PC build. So if you want to see a really high end build, definitely check it out because I was in need of a new gaming and edit editing PC. I can't even tell you it was serious. I needed to build that thing like now. So definitely check it out. YouTube.com slash Shannon Morse and truly appreciate everyone who has been subscribing there. Our goal each month is to get one more patron than last month. And if you are 20 or so people, you can help us get over the top. Become a DTS member right now. Get an ad free RSS feed, special episodes from me. I'm going to be reviewing all the sources I use to build coverage of DTS this weekend. You got to sign up though and become a member at patreon.com slash DTS. And I'm going to start playing that music again for you. Our email address is feedback at daily tech news show dot com. Hey, man, it's Friday. You got to give us a break. We're live Monday through Friday at 4 30 p.m. Eastern 2030 UTC. If you can join us live, please do so. We'd love to have you find out more at daily tech news show dot com slash live. See you Monday. This show is part of the frog pants network. Get more at frog pants dot com. The Diamond Club hopes you have enjoyed this program.