 Daily Tech News show is made possible by its listeners. Thanks to all of you including Scott Hepburn, Bjorn Andre, and Jeff Wilkes. Coming up on DTNS, Shannon Morse tells us if there's any hope in the face of rising zero days at tax. Also, UK folks can watch TV while their car drives them, and whether Apple should have to pay $1,000 for not including a charger with its phone. This is the Daily Tech News for Friday, the 22nd of April. Not April 22nd today. 22nd of April 2022. In Los Angeles, up top, Mary. And from Studio Redwood, I'm Sarah Lane. From Studio Colorado, I'm Shannon Morse. And I'm the show's producer, Roger Jain. Let's start right into it with a few tech things you should know. Google is changing its app policy for the Play Store to block third-party call recording apps by May 11th. Call recording apps usually take advantage of the is-accessibility tool in Android. Google says apps with a core functionality to directly support people with disabilities will still be allowed to use the function. However, can't be used for remote call audio recording. The policy also doesn't apply to dialer apps with native call recording functionality like Google Phone or MeDialer, because those apps do not use the accessibility function. India is the world's second largest internet market after China. And The Wall Street Journal notes that Google and Walmart are dominating the lucrative payment app marketplace there. According to data from the National Payments Corporation of India, Google Pay and Walmart's phone pay combined for more than 80% of the market. But last week, WhatsApp got approval to roll out WhatsApp pay to 100 million more users in India. They've been fighting India's government and they only could roll it out to 20 million, so now they got 100 million more. That's still about a fourth of its user base in the country. However, new rules require that no third party payment provider can exceed 30% market share. Bad news for Walmart and Google. Good news for WhatsApp. WhatsApp's parent Meta has been in disputes with the Indian government over in-country data storage and end-to-end encryption, but things might be finally turning around for them there. Sony announced on Friday that it plans to launch its revamped PlayStation Plus subscription tiers on May 23rd in most of Asia, June 1st in Japan, June 13th in the Americas, and June 22nd in Europe. As a reminder, there's three tiers, $9.99, $14.99, and $17.99 per month. The first two tiers include multiplayer access, downloadable games and storage, and the top tier adds streaming and game trials. Framework. Remember we talked about that a while back? It's the modular laptop platform. They announced that the main board is now available separately in the framework marketplace. That means you don't have to start with a laptop form factor to get going. You could start just with the main board and make something more like a Raspberry Pi. The main board has the processor, slots for memory and storage, and connectors for expansion cards, and up to four displays. There are three versions available for sale with three different Intel chips, ranging from $399 to $799. Framework also published documentation and 3D printable designs for cases. Inflation isn't just hitting product prices. It's affecting wages too. The Wall Street Journal collected several indicators of wage inflation in technology. CompTIA reports a 43% increase in posted tech jobs in the US over the last year. Staffing firm Mondo says average salaries for software engineers rose 11% over the last year. And Cloud Architects saw a spike of 25%. Alright, let's talk a little more about not paying attention while you drive. Yeah, so drivers in the UK are prohibited from viewing non-driving related content if they're operating a vehicle. But what if the car is driving itself? The UK's Department for Transport proposed updates to the Highway Code for people using self-driving vehicles that are registered as self-driving with the government. Under the changes, drivers would be required to take control of vehicles when prompted, watching television only on the vehicle's own built-in screens would be allowed while in motion, but mobile phone use would remain illegal. Users of self-driving cars would not be responsible for crashes with insurance companies liable for claims. The new rules are expected to take effect this summer, and the Department of Transport expects the first self-driving vehicles to be registered for use on UK roads later this year. The rules are also a temporary measure ahead of a full framework on autonomous vehicles, which is set to happen in 2025. Yeah, so we were all wondering, wait, why can you watch the TV on the built-in screen and not on the phone? And it turns out the key here is that we're probably talking about Level 3 autonomous driving. They made it clear that this does not apply to lane keeping or collision avoidance or anything like that. It does not apply to Tesla self-driving, for example. This would apply to Level 3, which is when the car is able to drive itself without supervision. No car that you can drive right now can drive without your supervision. So if you get a Level 3 car, like Sara said, there aren't any registered yet, but they think there might be before the end of the year, then you could look away and watch TV. But the reason they want to limit it to the in-dash is that if the car requires you to return to supervising its operation or to take over operation, the in-dash can pause the video and say, hey, you need to pay attention. Your phone won't because your phone's not necessarily connected to the car, so they don't want you so distracted by something that can't get interrupted. Yeah, that makes sense. That was my first question, is like, I can watch TV and not really pay attention to anything. But sure, yeah, if the screen pauses or even goes dark, you know, if it's time to put my hands on the wheel and take control again, that feels, I don't know, it feels fair. I feel like that's, you know, we're getting to a point where if a car is Level 3 or higher of autonomy, then the whole idea is that as a driver, you're not doing anything. You know, you might be there for safety measures or for backup type thing, but you should be able to be distracted that sort of the whole point. Well, it's not that you should be distracted, but if you are, that's the whole point. You should be able to be distracted without anything bad happening. Exactly, yeah. Speaking of distractions, this immediately made me think about, you know how people started hacking Peloton so that they could watch Netflix and not be forced to watch whatever was in the Peloton applications, because it was Android based. I wonder if people are going to start doing that with these kind of products as well, like built-in monitors or built-in displays. Yeah, could you hack it to be able to watch something that isn't part of the car manufacturer's platform, but then it's still be interruptible, right? I would want that. I would want to be like, yeah, I want to hack this to play Netflix and Hulu, even if that's not allowed, but I still want it to interrupt me if it's like, I would too, absolutely. Hey, you know, your exit's coming up. You better stop watching because you have to take over, because a lot of times Level 3 only works on the highway. It doesn't work on surface streets, stuff like that. And I wonder, you know, this whole driver not being liable for a crash, if you were to hack anything like that and something were to happen, well, that's another story. I wonder if we get into some messy criminal cases where somebody... Legal troubles. Yeah, where it's like, well, this isn't the factory television anymore, dude, and therefore it didn't work properly and you got in a car accident or something. And that could be a very, very major issue in the future, especially as these start to come to market in the next several years. If these products do start getting hacked, like are we going to see some kind of accident happen where that's going to be a really major court case? It could end up being a major precedent for future cases after that. Yeah, and you would be liable at that, right? The insurance company could then point to the fact that like they... Assuming they could tell that you modified it, which I would think that they could. Good question. Given how much data they collect whenever we're using these kind of displays. There's got to be some telemetry that even says like, the packets coming into this thing, we're coming from Hulu.com and we don't have a Hulu app or whatever, something like that, yeah. I imagine there's a lot of people who are still going to say this is a bad idea until we get to level four or even level five, where you're not able to take over the car. A lot of people are going to say, you know what? You shouldn't be that distracted. You should still be easily roused. We don't want you to get lost in watching 2521 on Netflix and therefore unable, even when it goes black, to shake yourself out of it. I can see that point of view. I'm not sure if I subscribe to myself though. I don't want my Bridgerton to get interrupted, Tom. That's the other thing, right? Is it going to be like, you know, I'd watch video, but it's going to get interrupted because my exit's five miles away, so I'm not going to do it. Not enough time. Well, on April 12th, a regional judge from a state in Brazil ruled that Apple must pay 5,000 reais, about $1,080 in USD to a customer who complained about not getting a charger with their iPhone. Now, Apple is required in some markets not to package chargers, but in Brazil, it voluntarily does not include them. Apple says this is to prevent waste, but it, of course, also lowers the cost per unit for Apple. The judge, however, found Apple violated a consumer law that prohibits manufacturers from acquiring multiple purchases of its products in order to gain essential functionality of one. Apple argued that it still included a USB-C cable, which could be used with any manufacturer's charger, not just their own. The judge, however, noted that most chargers for sale use USB-A, and the cable provided could not be used with those. Therefore, the judge ruled that Apple, quote, obligated the consumer to purchase a second product of its exclusive manufacturer. The judge also rejected Apple's defense, saying that it was trying to minimize environmental waste, writing, quote, the defendant continues to manufacture such an essential accessory, but now it sells it separately. So my question for y'all is, what do we think of this judge's reasoning? So, Tom, I have a feeling we're going to disagree on this one, but I don't think the judge is out of line here. I understand the reasoning. Judge saying, well, hold on a second, you know, it's an essential product. You need these two things. Most of the chargers that manufacturers make are USB-A, not USB-C. So Apple, you're not really helping anybody, but yourself here, and you're selling it separately instead of bundling it together. I think it's interesting that in certain markets, Apple is required not to package chargers, just decides not to in Brazil, and Brazil says, no, you should. So, I mean, this seems like a fairly easy solution. Apple just starts bundling chargers with phones in the future. $1,080 is kind of steep. I'm sure the customer is happy about this. But yeah, I don't know where Apple really... The environmental thing, sure, you can lean into that. I mean, that has real merits. That's not a lie that chargers end up in landfills. But in this case, customer one. Yeah, I disagree with the judge on this. I definitely disagree with the judge on this because I'm not going on whether you think a charger should be packaged or not. That's a separate issue, right? I've had that conversation of like, is it really that wasteful to include chargers? I'm not going to touch on that, but I will say that the law is meant to stop somebody from fooling you from saying like, oh, we sold you this iPhone, but the only way you can power it is to buy this really expensive charger from us separately that we didn't tell you you'd have to buy and you thought it was going to be cheaper to operate that. And that's not what's going on here. They give you a USB-C cable. You can buy USB-C charging adapters for, you know, 510 bucks pretty much anywhere that sells electronics. So the judge is wrong. This is not something where you are forced to buy something from Apple to charge the phone. Therefore, I don't think he's applying the law. Now, I'm not an expert in Brazilian law, so I might be missing something here. I'm perfectly willing to admit that up front. But from what I see, the law is meant to stop Apple from forcing you to buy from them and they're not. They're giving you the cable and saying, we hope you already have a charger in which case you don't even have to buy anything. But if you don't, you can buy a USB-C charger from us or you can buy it from anybody else. And I think that doesn't violate the spirit of this law. In fact, I don't think the judge understands the difference between USB-C and USB-A because making that argument seems silly too. Yeah, I agree with you on that factor because so many products now use USB-C, so it's become very dominant in households. However, I was one of those people who did not have enough USB-C chargers when I purchased an iPhone in 2020. And that was the first year that they stopped including the chargers with them and they had increased the charging speed. So I was not able to take advantage of the full charging speed because they did not include an adapter in the box that allowed me to use that full charging speed. So that was kind of annoying because I had to pay an extra like $40 or something to actually take advantage of one of the big marketing parts of the newest iPhone. Yeah, P-squared says, that's not what the law said though, Tom. The law said no second purchase required. I don't think that's what the law said. Now you may have actually read the law in Portuguese and know better, I don't know. But from what I understand, the law prohibits the manufacturer from requiring multiple purchases for essential functionality. And I think what Apple can reasonably say is, requiring someone to install electricity could be considered essential functionality, but we assume that everybody's got electricity. We should assume that like chargers are very easy to obtain. So there is a line there of what's essential functionality and what isn't. At least that's the way I look at it. Sarah, any rebuttal? No, you actually make really good points as usual. All right. Well, if you have a rebuttal, if you'd like to be like, no, Sarah, I'm still on your side. I'm going to email the show. Here's our email address. Feedback at DailyTechNewShow.com. Zero-day vulnerabilities are ones that are already being exploited by the time they are discovered. The name comes from the fact that software makers have zero days to fix them. Most of the time when we discover a vulnerability, you hear like nobody's exploiting it in the wild. So you have, you know, an unknown number of days to fix them before somebody figures out how to exploit them. Zero days are like already being exploited. We just discovered it though. So you need to patch it yesterday. Security firm Mandiant noticed that there were 80 zero-day disclosures in 2021. That's 18 more than the previous two years combined. But that's not what you should panic about. Finding them is good. We mentioned on Wednesday show that Google's Project Zero noted that more zero days are being discovered, but not necessarily that there are more out there. Zero days are expensive to develop. They fetch a high price on the open market if you can find them before anybody else does. MIT Technology Review notes that a zero-day vendor, yes, there are people who deal in this on the dark net, called Zerodium, has a standing offer to pay $2.5 million for an Android zero-day. Zerodium doesn't use those. They're a broker, so they just sell it to somebody for more than the $2.5 million. Zero days generally cost in the millions of dollars, and the cost of developing these means historically they've come from sophisticated and usually state-sponsored espionage groups. You're talking intelligence agencies, stuff like that. However, Mandiant says its research shows that in 2021 about a third of all groups exploiting zero days were financially motivated criminals rather than government-backed espionage groups. Mandiant attributes the sudden rise to the success of ransomware, essentially the amount of money generated by ransomware has been so high that ransomware makers can afford the millions of dollars to get the talent that used to be only affordable by governments. There's also an increase in what are sometimes called one-day or two-day vulnerabilities where malicious actors race to exploit a zero-day before all the users of the software can fix it. So Mandiant expects more zero-day exploits from a wider variety of both state-backed and financially motivated actors with more vendors selling them, fueling more ransomware operations, which sounds like a never-ending spiral into hopelessness, Shannon. Is there any hope out there? No, Tom, we have no hope. We are doomed forever. I mean, they speak the truth. When I do my research for my security show Threat Wire, I have been seeing so much more reports of ransomware. And oftentimes the interesting part of this is it's not necessarily coming from these state-backed government hacking groups. It's actually coming from groups of teenagers who decided that they disagreed with a gaming company and wanted to hack them with some ransomware. And they are discovering, all these groups are discovering that they can make so, so much money off ransomware. So we may not be necessarily seeing a rise in all sorts of different kinds of zero-days, but a lot, I feel like a lot more of these hacker groups are just using all of these zero-days. And since we are starting to see so many more companies coming out and actually saying like, hey, yes, we had to deal with this zero-day. We had to deal with this attack, that's turning around and giving Mandiant the option to have this kind of report. They're able to prove these cases to us. So we're seeing this huge rise in ransomware, rise in zero-days. And I feel like all of it is just tying in together. Yeah, we've been begging the drill about ransomware for a while. And this is another argument of why you shouldn't pay. Absolutely. Because not only when you pay, does it encourage more ransomware, but then it sends that money into the ecosystem just one of the things that money is used for, right? Oh yeah, 100%. It's giving a lot of these groups, these advanced persistent threats, these hacker groups, it's giving them so much more money to just mess around with. And they're trying to find more and more ways to keep those income streams coming. And if they can release these zero-days, which oftentimes you have a zero-day that goes out if it's being exploited in the wild, chances are there's gonna be a ton of brands, a ton of companies and organizations that aren't even necessarily paying attention to the fact that a new zero-day is being exploited. And they might not even update or patch the problem for months and months in advance. So these issues just kind of continue getting bigger and bigger. And I think that's what we're seeing right now is this huge mountain of these issues just getting larger and larger. Do you think this changes the landscape at all in the sense that in the past, and as I just said, disclosure is always a good thing because disclosure even of a zero-day means now we have a chance to get everybody to fix it. If it's not disclosed, then maybe only the bad folks know that it's out there. And so it's exploited without anybody understanding how to fix it. Does this change that, though, when there's so many of them that this high level of disclosure means that there's more chance for one- and two-day attacks? That's a good question. Do you think that the disclosures are announcing these zero-days to more potential threat actors? That would be the argument is that if there are more disclosures, then maybe you're announcing them to more, and there's more people with the ability to take advantage of them because they've got the resources because of all this money in the system. Does that outbalance of, like, yeah, but if there's not a disclosure, then maybe still only those bad folks know to exploit them and you can't, at least with disclosure, there's a chance to shut it down. That's a good point, but also disclosures, you have to legally disclose if your brand gets hacked now. So we're kind of forced to, like, if you're holding an organization. That's good. It's interesting. It's an interesting problem that we're facing right now when it comes to security and privacy and information security, and I feel like one of the prominent fixes that we could see come to light in the next several years is going to be hiring more security experts and making sure that we have that kind of education accessible for people who want to go into this field so that we have more protections in place from people who know how to protect from these kind of exploits in zero days. Yeah, and it makes me feel good what we were talking about with Chris Ashley last week that there are more companies willing to hire security researchers based on the fact that they're good at it rather than making them jump through hoops and get a college degree in security, which I'm sure is valuable, but is not as valuable as being able to say, like there was the, the point to own is all about SCADA recently. And so that's what you want to, you want to get the people who win point to own on SCADA to defend your industrial systems, whether they have a college degree or not, right? Whether or not they have like certifications in place, like you can get certs through a company if they are funding it. Certs are very expensive and not everybody can afford those, but there are very brilliant InfoSec practitioners out there that just need to get those jobs. We need to find jobs for them. Well, we're going to wrap up the week with an extended mailbag. We thank you. We've got so many good emails from people. So keep those coming. Feedback at DailyTechNewsShow.com. What do we got, Sarah? Let's start with Nathaniel, who writes in, Nathaniel says, I'm a data scientist and an analytics instructor. I've only ever taught college courses online asynchronously, but the asynchronous class means I don't ever hop on a Zoom with all of my students. Rather, I prerecord videos and then I curate content for them as part of the coursework. Classes mood detection would be an awesome feedback mechanism for me in an environment where it's difficult to get timely feedback on the value of my lectures. However, most of what, much of what I teach and research concerns the risk of unintended consequences in ML applications. Humans tend to believe machine predictions more than their own judgments. This is where ML, machine learning, was intended to be a decision enhancer, but turned out to be an engine of self-doubt to ill effects. One example being the Child Protective Services algorithm deployed by the Allegheny County some years ago. So what happens when instructors believe the model's predictions over their own judgment or when the students believe the model's predictions over their own self-knowledge? That is a great point. And I don't think it means that these algorithms can't be used or I don't think Nathaniel's even saying they should never be used. But I think it does say... Yeah, keep in mind. Yeah, that we need to have a little extra training of like, hey, folks, this is an advice thing just because it's a computer doesn't mean it's never wrong because there's still a little bit of that cultural... I think it's waning, but there's still a little of that cultural thing of like, well, the computer can never be wrong. Well, and like, I don't know, if you think of something, this is sort of a silly example, but like your computer's calculator. I'm never like, is the calculator right though? Yeah, right. It depends on what it's doing. It's gonna be 100% right, but like, maybe if I'm having an off day, I might add up things in my head wrong. You know, because I'm a human, and I make mistakes or I'm in a bad mood or all sorts of things that we just assume, well, machines aren't capable of that, but as we get farther and farther along, it's like, machines are more and more capable of acting human-like, but yeah, it's not really an either or. It is an enhancer, as Nathaniel says. Yeah, it's an advisement. We were talking about Netflix this week doing an about face and losing subscribers. Frederick says, well, I personally am loving our current Aulacart streaming lifestyle. I haven't been subscribed to Netflix in quite a while. I do seem to remember there were tears built in to accommodate how many screens were available. If Netflix has paid attention to password sharing, are they taking into account how many screens the account pays for? Does a different IP address really make that much of a difference? Just a thought. Thanks for being the best tech show around. Ah, thanks, Frederick. Thanks, Frederick. Yeah, I always thought Netflix wasn't worried about password sharing because they charged by screen. Now, granted, the main reason for that is if you only have one person in the household, they're saying, well, you shouldn't have to pay as much. It's just you're just going to be watching one at a time. But if you've got a big family, you might want to pay for two or four screens because lots of people may be watching. And I always felt that was fair and that the password sharing would just be accounted for with that. But Frederick, it sounds like what they're saying now is, we think it's fine within your household or if one of you is on vacation, but if you're constantly sharing an entirely different household, that crosses the line. So, yeah, I don't know why they don't just say, well, you know what? If it's this many screens, you pay this much, except that they figure they can make more money if they draw the line at the household instead of just at the screens. This totally like butts heads with my security and privacy mindset of like, I need to use a VPN. I need to use VPN. I need to be able to tunnel my traffic through something else. It might be going out through a port here in America. So I have access to the same exact Netflix I would at home when I'm here in Colorado as I would in Virginia. But I still want to have that privacy. I don't feel like I need to be forced to share my actual unique IP address with any specific company if I don't want to. Although you do need to share your IP address if you want them to serve the video to you. Yeah. So you're kind of stuck there. They're going to know it at a certain point. But yeah, they don't need to pay attention to it other than to serve the video to you. So I get it. And I actually think Netflix is being very loose on this. They're not cracking down on people for going on vacation. You can say yet and maybe they will get there. But right now it's like we've noticed consistently that you're getting video from one place in Iowa and one place in Japan. And we don't think you're both, you know, you're traveling between the two. It's always on in both places. Now we think maybe your password sharing. Got another email from Russ. This is in response to a conversation we had yesterday about Amazon opening up Prime to some sellers off of Amazon.com on the seller's own websites. Russ says to me, this is a great idea. Even if I don't get to have the receipts in my Amazon app, when I shop on Amazon, I'm always looking for that Prime badge. Not necessarily for the free shipping, although that's always nice. It's just a nice indicator that what I order is what I'm going to get. I have read or seen too many horror stories about people purchasing something from a third-party seller on Amazon and then getting something completely different. Oh, okay. Yeah. I don't think that happens as often as maybe people think, but certainly it's a nice way to trust you're going to get what you order on a third-party website. So that's a good point. Yeah. And then finally, Insteon. We talked about Insteon going dark and suddenly and with no communication. Stacey on IoT in her latest newsletter had something in there about the parent company has now sold off to a spin-off company that's handling the wind-up. So they're definitely going out of business. But Carlos has possible hope. He wrote it and said, I was listening to your coverage of Insteon going dark and this afternoon I saw a blog post from Home Assistant saying that they work with Insteon and still have a way for voice assistants to control those devices. So we haven't looked into it ourselves, but if Carlos is right, you might want to check out the blog post from Home Assistant. Thank you, Carlos. Yeah. Thanks to everybody for writing in. Like Tom said, feedback at DailyTechNewShow.com is where to send those emails, questions, comments, all the good things. We'd love to hear from you. We also love to have Shannon Morse on the show. Thanks for being with us today, Shannon. Good stuff as always. Let folks know where they can keep up with the rest of your work. Thanks for having me. YouTube.com slash Shannon Morse, as usual. That's the best place to find all of my content. Turns out there's a whole bunch of like tax scams that have been happening this year. So I just did a video wrapping those up and what you should look for and be prepared for. So watch that if you are expecting a refund and don't answer any emails from the IRS because it's not the IRS. That's not how they do it. Yeah. No. They send you the papers. Yeah. And if they call you saying you owe money or the sheriff is going to be at your house in an hour, that's not happening either. It's not true. Oh gosh. I've had that one a few times. Thanks for a brand new boss, Clarkbug. Clarkbug just started backing us on Patreon. You get the goldest star ever, Clarkbug. Yay, Clarkbug. Clarkbug saved our week. Thank you, Clarkbug. Let me tell you, right now, if you sign up as a new patron, you're going to get a lot of love. That's all I'm saying. Very appreciative. Air hugs for all. In this economy? Thank you, Clarkbug. There's a longer version of the show called Good Day Internet. Do join us for GDI. If you can, patreon.com slash DTNS. This is where to find out more about that. You can find out more at dailytechnewshow.com slash live. Have a great weekend, everyone. We'll see you on Monday. This week's episodes of Daily Tech News Show were created by the following people, host producer and writer Tom Merritt, host producer and writer Sarah Lane, executive producer and booker Roger Chang, producer, writer and host Rich Straffalino, video producer and Twitch producer Joe Kuntz, executive producer and booker Roger Chang, producer, writer and host Rich Straffalino, video producer and Twitch producer Joe Kuntz, technical producer Anthony Lemos, Spanish language host, writer and producer Dan Campos, news host, writer and producer Jen Cutter, science correspondent Dr. Niki Ackermanns, social media producer and moderator Zoe Detterding. Our mods! Beatmaster, W.S. Goddus 1, bio-cow, Captain Kipper, and virtuoso Steve Guadirama, Paul Reese, Matthew J. Stevens, and J.D. Galloway. Mod and video hosting by Dan Christensen, video feed by Sean Wei, music and art provided by Martin Bell, Dan Looters, Mustafa A, A-Cast and Len Peralta. Live art performed by Len Peralta. A-Cast ad support from Trace Gaynor. We're going to miss you, Trace. We're going to be doing soon. Patreon ad support from Dylan Harari. Contributors for this week's shows included Scott Johnson, Allison Sheridan, and Shannon Morse. And our guests on this week's show were Dave Brodbeck and Nate Langson. And thanks to all our patrons who make the show possible. This show is part of the Frog Pants Network. Get more at frogpants.com.