Tech Brew Ride Home - Tue. 12/14 – Is Log4j The Worst Bug Of All Time?
Episode Date: December 14, 2021More fallout from what is now being called potentially the worst bug of all time. Apple helps Android users discover if they’re being tracked by AirTags. A new entrant into the AR and VR product cat...egory that I guess we’re going to be covering going forward. Amazon is coming for DoorDash and Instacart. And how much did Meta have to pay to become Meta? Sponsors: Tovala.com/ride FirstRepublic.com Links: CISA warns 'most serious' Log4j vulnerability likely to affect hundreds of millions of devices (CyberScoop) The numbers behind a cyber pandemic – detailed dive (Check Point) Apple launches AirTags and Find My detector app for Android, in effort to boost privacy (CNET) Oppo announces Air Glass ‘assisted reality’ device (The Verge) Amazon Ramps Up Plans for Instacart-Like Service in U.S., Europe (The Information) Nike acquires NFT collectibles studio RTFKT (TechCrunch) Facebook Owner Is Involved in $60M Deal Over Meta Trademark Assets (Coinspeaker) Send us your nomination for the top tech stories of the year: chrismessina.me/topstories Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
On April 4th, 2023, around 2 in the morning, a man was found stabbed multiple times on a sidewalk in downtown San Francisco.
Hey, who did this to you?
What happened next turned the story into a political firestorm.
Reports have identified the victim as Bob Lee, the founder of Cash App.
From Bloomberg Podcasts, this is Foundering, the Killing of Bob Lee, beginning April 16.
Welcome to the Tech meme right home for Tuesday, December 14th, 2021.
I'm Brian McCullough today.
More fallout from what is now being called potentially the worst bug of all time.
Apple helps Android users discover if they're being tracked by air tags.
A new entrant into the AR and VR product category that I guess we're going to be covering a lot more going forward.
Amazon is coming for DoorDash and Instacart.
And how much did Meta have to pay to become meta?
Here's what you miss today in the world of tech.
Hey, so that whole log 4J thing continues to be a big, big deal. How big? Well, how about the fact that the
CISA director Jen Easterly said yesterday on a call with security and tech industry officials
that the Log 4J flaw is likely affecting hundreds of millions of devices right now and may end up
being the most serious bug she has seen in her entire career. In fact, quoting her directly,
quote, one of the most serious I've seen in my entire career, if not the most serious, end quote.
Quoting from CyberScoop, we expect the vulnerability to be widely exploited by sophisticated actors,
and we have limited time to take necessary steps in order to reduce the likelihood of damage,
she said, of the Apache Log 4J flaw. The issue is an unauthenticated remote execution vulnerability
that could allow an intruder to take over an affected device. Hundreds of millions of devices are
likely to be affected, said Jay Gassley of CISA's Vulnerability Management Office in the call with
critical infrastructure owners and operators. CISA, a component of the Department of Homeland Security,
is setting up a dedicated website as soon as Tuesday, that's today, to provide information
and counteractive disinformation, said Eric Goldstein, Executive Assistant Director for Cybersecurity at the
agency. The vulnerability would, quote, allow a remote hacker to easily take control of the system
in which they exploit it, he said. The industry briefing
was the latest alarm sounded by government officials from around the world, with CISA issuing a warning
over the weekend alongside the likes of Austria, Canada, New Zealand, and the UK. Goldstein said
CISA expects all kinds of attackers will exploit the vulnerability from crypto miners to ransomware groups
and beyond. There is no evidence of an active supply chain attack, quote, at this time, he said.
It's going to take, quote, sustained effort for organizations to become secure with diligence needed
even after applying patches from Apache, Gazley said. There's no single action that fixes this issue,
Gazzley said. It's a mistake to think anyone is, quote, going to be done with this in a week or two, end quote.
Easterly's advice was to make sure organizations have their security teams staffed over the holidays,
take, quote, all necessary steps to close easily exploitable weaknesses, end quote, and share even more information than usual with the CISA, end quote.
Need more data points to underline how serious this all is?
An analysis came out this morning, suggesting Log 4J attacks rose from just a few thousand on December 10th to over 800,000 within 72 hours.
Exploits may have been attempted on more than 40% of corporate networks globally at this point.
This is from Checkpoint Software, quote,
This is clearly one of the most serious vulnerabilities on the Internet in recent years,
and the potential for damage is incalculable.
Checkpoint research witnessed new variations of the original exploit being introduced rapidly, over 60 in less than 24 hours.
Since we started to implement our protection, we prevented over 846,000 attempts to allocate the vulnerability.
Over 46% of those attempts were made by known malicious groups.
We have so far seen an attempted exploit on over 40% of corporate networks globally.
This vulnerability, because of the complexity in patching it and easiness to exploit,
seems that it will stay with us for years to come unless companies and services take immediate action
to prevent the attacks on their products by implementing a protection, end quote.
P.S. Cloudflare says that they are seeing over a thousand log 4J exploit attempts per second at this point.
Fun times, everybody, and just a full disclosure thing, I'm not a security expert. I'm a general knowledge technology dude,
and this is a general knowledge technology podcast.
So if you are a security person listening to this right now, hopefully you're already on the ball using best practices to fix your own backyard.
But if you're a non-security person, a general interest technology person like me and you're worried about your enterprise or your own backyard, please seek out more authoritative security experts than me to figure out what to do to lock your stuff down.
Apple is following through on its promise to help Android users identify air tags and find my trackers that aren't with their owners.
They've debuted Tracker Detect, an Android app that scans for air tags and find my items that may be traveling with users without their knowledge, quoting CNET.
If the Tracker Detector app finds an unexpected air tag that's away from its owner, for example, it will be marked in the app as unknown air tag.
The Android app can then play a sound within 10 minutes of identifying the tracker.
It may take up to 15 minutes after a tracker is separated from its owner before it shows up in the app, Apple said.
If the tracker identified is an air tag, Apple will offer instructions within the app to remove its battery.
Apple also warns within the app that if the person feels their safety is at risk because of the item tracker,
they should contact law enforcement.
Privacy advocates warned earlier this year that Apple air tags could be used as a way to track and stalk people.
Critics noted that because Apple's Find My Network has more than 1 billion active iPhones and other devices
that quietly share their location of any air tags or other Find My devices nearby,
it likely has greater reach than any other device tracking service.
They also noted that Apple built proactive warnings about nearby air tags into its iPhones,
but that didn't offer support for other phones at the time.
Apple in June updated its air tags with new software meant to deter abuse
by adjusting the amount of time before an air tag alerts a non-owner to its presence,
shortening it to between 8 and 24 hours from its initially designed three days.
The tracker detect app, which Apple first discussed in June,
requires users to actively scan for a device before it will be identified.
Apple doesn't require users to have an Apple account in order to use the detecting app, end quote.
Anyone old enough to remember when smartphones were first new,
and so every new attempt at a smartphone, every new experiment from a Motorola or a Nokia,
or whomever. When that rolled out, it was newsworthy because it was new, and the form factor and all
sorts of details in terms of this new product category hadn't been set in stone yet. Those were fun times,
right? To me, that's when gadgets are fun, when the whole category of a gadget is new.
When Android phones were brand new, there was this Cambrian explosion of experimentation,
and every new Android phone was news. And I mean, heck, right before the iPad came out,
Remember, Michael Arrington came out with his own experimental tablet, Wild West days.
Well, I guess AR glasses and maybe VR as well are going to be a new category of Wild West like that
that we're going to have to keep our eyes on in the coming years, which has me a bit excited,
if I'm being honest.
So, say hello to Air Glass, which Apo has announced as an assisted reality product that projects 2D info onto the glasses you're wearing
on your head and weighs about 30 grams with a claimed three-hour battery life. Now, that doesn't
sound super great, right? Sounds like an experiment, but that's the point. This is an evolving category,
so we should expect experiments. Also, don't expect to try this particular experiment out soon,
as it's only coming to China in a limited way in Q1 of next year. Quoting the verge.
Apo describes the airglass as an assisted reality product as opposed to an augmented reality
product, meaning it projects 2D information into your field of view rather than overlaying 3D objects
onto the real world. Yes, this is sort of like Google Glass. The Air Glass has a Qualcomm
Snapdragon 4,100 processor, and weighs just 30 grams or about one ounce in total. Opos says it
should last for three hours of active usage and 40 hours on standby. There are two frame
designs, a silver half frame and a black full frame, and each is available in two sizes. The inside of
frame has a magnetic port that allows it to be attached to more conventional glasses.
The waveguide display uses a tiny projector with micro-LED tech capable of up to 3 million
nits peak brightness, though APO says the actual brightness will be up to 1,400 nits in average
conditions. It can be operated via touch, voice, hand tracking, and head tracking, as well as
through a smart glass app on a smartphone running APO's Color OS 11 or above.
Appos proposed use cases for the airglass are relatively modest. The company says it can be used
for notifications and directions as you'd expect, as well as features like teleprompting and real-time
translation. The display is monochrome with either 16 or 256 levels of grayscale depending on the mode,
so the airglass isn't going to be beaming rich content into your eyes. That said,
it probably isn't going to be a mature mainstream product either. Apos says the airglass will
receive a limited release in Q1, 2022, and at least at first it'll only be sold in mainland China, end quote.
Today I learned that Amazon has an Instacart rival, internally called Fresh Marketplace.
This new service will soon be expanding to the U.S. and Europe in 2022 following, apparently,
its recent UK test debut, quoting the information.
Prime subscribers can currently use the Amazon app or website to order groceries from two major
UK supermarkets with same-day delivery fulfilled by Amazon Flex drivers.
The information has learned that.
Amazon plans to expand the online grocery ordering and delivery program throughout Europe and in the
U.S. in 2022. That will put it in direct competition with Instacart, as well as other companies
expanding in-app grocery deliveries, such as DoorDash and Uber. Clues about Amazon's plans have
surfaced in eight separate job listings the company has posted in recent months for management
positions on what it describes as its fast-growing grocery partnerships team, which operates out of
Los Angeles, Seattle, and Arlington, Virginia, according to listings viewed by the information.
multiple job postings describe the team's purpose as enabling prime customers to shop the selection
from grocery stores on amazon.com and receive their order via ultra fast delivery in two hours or less
end quote so that's pretty clever amazon now has this army of folks in those amazon vans making
deliveries out in the real world every single day so i guess why not have them stop by whole foods too
and just pick up that milk you need i guess that's the thinking
Nike has acquired RTFKT, an NFT studio founded in 2020. No word on the deal size, but RTFKT raised an $8 million seed round back in May, led by Andreessen Horowitz at a $33.3 million valuation, quoting TechCrunch.
The acquisition announcement comes at an opportune time for the studio. RTFKT is currently behind one of the most talked about NFT project drops of the month, a sweeping
avatar partnership with artist Takashi Murakami called Clone X. Since its initial drop less than
three weeks ago, the project has already $65 million in transaction volume, according to CryptoTracker
CryptoSlam. This is a unique opportunity to build the RTFKT brand, and we are excited to benefit
from Nike's foundational strength and expertise to build the communities we love. RTFKT,
co-founder Benoit Pajodo said in a statement. Earlier this month, Adidas announced a partnership with
NFT project Bored Apes Yacht Club. In addition to building out its own NFT drops, RTFKT,
had collaborated with other crypto creators to design items like physical shoes that utilized imagery
in other NFT projects, including Cryptopunks and Board Apes, end quote.
Meanwhile, Spatial is a startup going in the other direction, pivoting to NFTs from its
previous business of being a VR meeting startup. Spatial is now.
going to let users host galleries and events for NFTs and has raised $25 million to do so,
bringing its total raise to date to $50 million, quoting protocol. Just a few months after
meta unveiled its own VR meeting platform, a startup known for a similar product is hitting
the brakes. Spatial, which used to offer AR and VR collaboration tools to enterprise customers,
is pivoting to cater to NFT fans and other consumers, a new direction that is powered by a new
$25 million round of funding. As part of its reboot, Spatial launched a new website,
that allows people to start their own avatar-powered event spaces and NFT galleries right from within their
web browser. Spatial is also available via mobile apps and will continue to support VR as well,
but is heavily emphasizing its web version as a way to quickly get started with a Metaverse-like experience.
Spatial is not the first company to find the Enterprise AR and VR market more challenging than expected.
Now defunct Dacri was looking to sell AR hard hats to the industrial enterprise,
only to find that companies were eager to test its hardware in order to,
paint themselves as innovative, but that field workers didn't actually care about its product.
There are still plenty of hardware and software makers betting on Enterprise, AR, and VR.
However, some now believe that the uptake of immersive computing in the workplace will
mirror what happened in the mobile space with people embracing hardware and services
that align with what they do in their spare time.
Case in point. Meta will stop selling dedicated enterprise versions of its Quest headset
at the end of this month and instead allow people to use their regular headsets for work as well.
Stein claimed that Spatial had built a multi-million-dollar enterprise business, but that it saw a lot
more traction and growth from consumers using its platform for social and cultural events.
Just looking at the data from these new users, we decided to focus 100% on this new consumer path,
he said.
That path includes the ability to sell NFTs through spatial art galleries and eventually turn
custom spatial room designs into NFTs as well.
Spatial is taking a small commission on NFT sales and plans to launch its own NFTs.
The company also plans to add portals to other Metaverse platforms and offer ticketed events, end quote.
So obviously, you all know that I've been hella skeptical of Zuckerberg's vision of meetings in the
metaverse of meetings in VR, but I don't know, there's an example of a company that had to pivot
away from doing something like that because Zuck is getting in this business.
And speaking of that, finally today, the oddity surrounding Facebook's name change to Meta
continue to amuse me, though the theft of that ladies Metaverse Instagram account that we talked
about yesterday wasn't really funny. This is kind of funny. Meta has apparently acquired the worldwide
trademark assets of U.S. Regional Bank Meta Financial Group for $60 million in cash, doing so through
an affiliate called Bejke. Why would Meta need to do this? Maybe they didn't secure all the legal
name rights and trademark rights before they switched to meta, quoting CoinSpeaker.
In a recent regulatory filing, Meta Financial Group noted a deal it signed with Delaware
company Bejke-LLC, as stated in the filing, Bejkech-L-C, has agreed to purchase the worldwide
rights of Meta Financial Group's name for $60 million in cash. However, the financial company
did not reveal the owner of Bejke. A spokesperson for Meta Platforms said the company is
affiliated with Bejke and it has acquired the trademark assets. Separately, a spokesperson from
MetaBank also confirmed meta-platforms involvement in the deal. Also, reports showed that
meta-platforms have been discussing with Meta-financial Group over the trademark assets
acquisition when it was still named Facebook. Metafinancial collaborates with government agencies,
financial technology firms, and other institutions to offer banking services with the aim of
boosting financial inclusion, end quote. Still, $60 million. That's a pretty
expensive name change. Are we sure meta shareholders are okay with all this?
Okay, everybody, tomorrow night at 9 p.m. Eastern, 6 p.m. Pacific, the usual time. Chris and I
will be doing a Twitter space where we talk about the biggest tech stories of the year.
But what were the biggest tech stories of the year? Can you help us figure that out?
If you go to Chris Messina.m.m.m.m.m.4. Top Stories. There's an air table that will let you
submit your top story ideas to us. There's also a place in the form to tell us your name and
Twitter handle and whatnot so that if you're in the space tomorrow, we can call you on stage
and you can nominate the story yourself and talk to us about it. But even if you don't want to
come on the space or you can't, please go to the form and suggest the top stories of the year
for us to discuss anyway. We'll be happy to give you a shout out if you want. Again, that form can
be found at Chris Messina.m e.
slash top stories.
It's also the last link in the show notes today.
Chrismascena.m.m.m.m.m.m.m.comststores talk to you tomorrow.
