Connect with us

Biz & IT

Facebook AR/VR product head Hugo Barra is being replaced

Published

on

Facebook’s VP of AR/VR product Hugo Barra is out after some leadership changes at the top of the Oculus organization. After initially being hired to lead the whole VR division, Barra will now be leading global AR/VR partnerships, while Erick Tseng, Facebook’s director of product management, will be replacing Barra in his most recent role leading AR/VR product management.

Barra came on in early 2017 after the ouster of Oculus’s existing leadership structure, when then-CEO Brendan Iribe was demoted alongside much of the founding team to lead product-specific verticals. Later that year Oculus founder Palmer Luckey was ousted.

Barra’s proximity to CEO Mark Zuckerberg’s inner-circle was soon diminished after longtime executive Andrew Bosworth was placed ahead of him in the org chart leading AR/VR at Facebook in a role that also included other consumer hardware efforts like Portal. Barra’s transition comes as the company prepares to release two of its latest virtual reality products, the Rift S and Quest.

Late last year, Oculus had an internal reorganization that shifted the team to more specialization-focused groups as opposed to product-focused.

It’s unclear what the full scope of Barra’s new role is. Facebook partnered with Xiaomi — where Barra previously led international efforts — to build the Oculus Go and Xiaomi’s Mi VR headset. Facebook’s recent partnership with Lenovo to build the Rift S showcases just how important these hardware partnerships are to the company.

On Tseng’s promotion, a Facebook spokesperson said, “He is the right person to step into this role because of his experience leading product teams at Facebook, and leading the Android product team at Google .”

Alongside this news, Facebook noted that longtime content exec Jason Rubin has seen his role expand as well and has received a new title, VP of Special Gaming Initiatives.

Source link



Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Meet Thistle, the startup that wants to secure billions of IoT devices

Published

on

Getty Images

For more than two decades, Window Snyder has built security into products at some of the biggest companies in the world. Now, she’s unveiling her own company that aims to bake security into billions of connected devices made by other companies.

San Francisco-based Thistle Technologies said on Thursday that it received $2.5 million in seed funding from True Ventures. The startup is creating tools that will help manufacturers build security into connected devices from the ground up.

IoT, hackers’ low-hanging fruit

Printers, ATMs, consumer electronics, automobiles, and similar types of Internet-of-things devices have emerged as some of the biggest targets of malware. Manufacturers typically don’t have the security expertise that companies like Apple, Microsoft, and Google have developed over the past 20 years.
The result is billions of devices that ship with vulnerabilities that are preyed upon by profit-driven criminals and nation-state hackers.

“What it takes to build security into products… requires a lot of really specialized skills,” said Snyder, Thistle’s CEO and founder. “You get folks, especially at the devices level, building the same security mechanisms over and over again, reinventing the wheel, and doing it to different levels of resilience.”

Security veteran

Snyder previously served as chief security officer at Square, Mozilla, and Fastly and was chief software security officer at Intel. As a teenager, she was part of a Boston hacker collective before going on to be a consultant at @stake, a security company that employed many of the members of L0pht, another Boston hacker collective. She also spent time at Microsoft working on Windows XP SP2, the update that added a host of security improvements to the OS. Later, she worked on security at Apple.

Thistle will develop frameworks that allow device manufacturers to quickly build reliable and resilient security into their products more quickly than they could do on their own. The company’s initial work will focus on building a platform that delivers security updates to connected devices. Patching devices typically requires reflashing firmware, a process that can be fraught with risk.

“It’s one of the reasons that nobody delivers updates for devices, because the cost of failing an update is so high,” Snyder said. “If you’ve got 100 million devices out there and you’ve got a 1-percent failure rate—which is very, very low for updates—that’s still a million devices that are bricked potentially.”

True Ventures is investing $2.5 million in seed funding to Thistle. The Silicon Valley venture capital firm has provided funding to hundreds of early-stage startups, including Duo Security, the company that provides two-factor authentication and other security services and is now owned by Cisco.

Continue Reading

Biz & IT

In epic hack, Signal developer turns the tables on forensics firm Cellebrite

Published

on

For years, Israeli digital forensics firm Cellebrite has helped governments and police around the world break into confiscated mobile phones, mostly by exploiting vulnerabilities that went overlooked by device manufacturers. Now, Moxie Marlinspike—the brainchild behind the Signal messaging app—has turned the tables.

On Wednesday, Marlinspike published a post that reported vulnerabilities in Cellebrite software that allowed him to execute malicious code on the Windows computer used to analyze a device. The researcher and software engineer exploited the vulnerabilities by loading specially formatted files that can be embedded into any app installed on the device.

Virtually no limits

“There are virtually no limits on the code that can be executed,” Marlinspike wrote.

He continued:

For example, by including a specially formatted but otherwise innocuous file in an app on a device that is then scanned by Cellebrite, it’s possible to execute code that modifies not just the Cellebrite report being created in that scan, but also all previous and future generated Cellebrite reports from all previously scanned devices and all future scanned devices in any arbitrary way (inserting or removing text, email, photos, contacts, files, or any other data), with no detectable timestamp changes or checksum failures. This could even be done at random, and would seriously call the data integrity of Cellebrite’s reports into question.

Cellebrite provides two software packages: The UFED breaks through locks and encryption protections to collect deleted or hidden data, and separate Physical Analyzer uncovers digital evidence (“trace events”).

To do their job, both pieces of Cellebrite software must parse all kinds of untrusted data stored on the device being analyzed. Typically, software that is this promiscuous undergoes all kinds of security hardening to detect and fix any memory-corruption or parsing vulnerabilities that might allow hackers to execute malicious code.

“Looking at both UFED and Physical Analyzer, though, we were surprised to find that very little care seems to have been given to Cellebrite’s own software security,” Marlinspike wrote. “Industry-standard exploit mitigation defenses are missing, and many opportunities for exploitation are present.”

Compromising integrity

One example of this lack of hardening was the inclusion of Windows DLL files for audio/video conversion software known as FFmpeg. The software was built in 2012 and hasn’t been updated since. Marlinspike said that, in the intervening nine years, FFmpeg has received more than 100 security updates. None of those fixes are included in the FFmpeg software bundled into the Cellebrite products.

Marlinspike included a video that shows UFED as it parses a file he formatted to execute arbitrary code on the Windows device. The payload uses the MessageBox Windows API to display a benign message, but Marlinspike said that “it’s possible to execute any code, and a real exploit payload would likely seek to undetectably alter previous reports, compromise the integrity of future reports (perhaps at random!), or exfiltrate data from the Cellebrite machine.”

Marlinspike said he also found two MSI installer packages that are digitally signed by Apple and appear to have been extracted from the Windows installer for iTunes. Marlinspike questioned if the inclusion constitutes a violation of Apple copyrights. Neither Apple nor Cellebrite provided a comment before this post went live.

Marlinspike said he obtained the Cellebrite gear in a “truly unbelievable coincidence” as he was walking and “saw a small package fall off a truck ahead of me.” The incident does seem truly unbelievable. Marlinspike declined to provide additional details about precisely how he came into possession of the Cellebrite tools.

The vulnerabilities could provide fodder for defense attorneys to challenge the integrity of forensic reports generated using the Cellebrite software. Cellebrite representatives didn’t respond to an email asking if they were aware of the vulnerabilities or had plans to fix them.

“We are of course willing to responsibly disclose the specific vulnerabilities we know about to Cellebrite if they do the same for all the vulnerabilities they use in their physical extraction and other services to their respective vendors, now and in the future,” Marlinspike wrote.

Continue Reading

Biz & IT

They hacked McDonald’s ice cream machines—and started a cold war

Published

on

Enlarge / The lure of frozen deliciousness that led to uncovering insane techno craziness.

NurPhoto | Getty Images

Of all the mysteries and injustices of the McDonald’s ice cream machine, the one that Jeremy O’Sullivan insists you understand first is its secret passcode.

Press the cone icon on the screen of the Taylor C602 digital ice cream machine, he explains, then tap the buttons that show a snowflake and a milkshake to set the digits on the screen to 5, then 2, then 3, then 1. After that precise series of no fewer than 16 button presses, a menu magically unlocks. Only with this cheat code can you access the machine’s vital signs: everything from the viscosity setting for its milk and sugar ingredients to the temperature of the glycol flowing through its heating element to the meanings of its many sphinxlike error messages.

“No one at McDonald’s or Taylor will explain why there’s a secret, undisclosed menu,” O’Sullivan wrote in one of the first, cryptic text messages I received from him earlier this year.

As O’Sullivan says, this menu isn’t documented in any owner’s manual for the Taylor digital ice cream machines that are standard equipment in more than 13,000 McDonald’s restaurants across the US and tens of thousands more worldwide. And this opaque user-unfriendliness is far from the only problem with the machines, which have gained a reputation for being absurdly fickle and fragile. Thanks to a multitude of questionable engineering decisions, they’re so often out of order in McDonald’s restaurants around the world that they’ve become a full-blown social media meme. (Take a moment now to search Twitter for “broken McDonald’s ice cream machine” and witness thousands of voices crying out in despair.)

But after years of studying this complex machine and its many ways of failing, O’Sullivan remains most outraged at this notion: That the food-equipment giant Taylor sells the McFlurry-squirting devices to McDonald’s restaurant owners for about $18,000 each, and yet it keeps the machines’ inner workings secret from them. What’s more, Taylor maintains a network of approved distributors that charge franchisees thousands of dollars a year for pricey maintenance contracts, with technicians on call to come and tap that secret passcode into the devices sitting on their counters.

The secret menu reveals a business model that goes beyond a right-to-repair issue, O’Sullivan argues. It represents, as he describes it, nothing short of a milkshake shakedown: Sell franchisees a complicated and fragile machine. Prevent them from figuring out why it constantly breaks. Take a cut of the distributors’ profit from the repairs. “It’s a huge money maker to have a customer that’s purposefully, intentionally blind and unable to make very fundamental changes to their own equipment,” O’Sullivan says. And McDonald’s presides over all of it, he says, insisting on loyalty to its longtime supplier. (Resist the McDonald’s monarchy on decisions like equipment, and the corporation can end a restaurant’s lease on the literal ground beneath it, which McDonald’s owns under its franchise agreement.)

So two years ago, after their own strange and painful travails with Taylor’s devices, 34-year-old O’Sullivan and his partner, 33-year-old Melissa Nelson, began selling a gadget about the size of a small paperback book, which they call Kytch. Install it inside your Taylor ice cream machine and connect it to your Wi-Fi, and it essentially hacks your hostile dairy extrusion appliance and offers access to its forbidden secrets. Kytch acts as a surveillance bug inside the machine, intercepting and eavesdropping on communications between its components and sending them to a far friendlier user interface than the one Taylor intended. The device not only displays all of the machine’s hidden internal data but logs it over time and even suggests troubleshooting solutions, all via the web or an app.

The result, once McDonald’s and Taylor became aware of Kytch’s early success, has been a two-year-long cold war—one that is only now turning hot. At one point, Kytch’s creators believe Taylor hired private detectives to obtain their devices. Taylor recently unveiled its own competing Internet-connected monitoring product. And McDonald’s has gone so far as to send emails to McDonald’s franchisees, warning them that Kytch devices breach a Taylor machine’s “confidential information” and can even cause “serious human injury.”

After watching the efforts of McDonald’s and Taylor decimate their business over the five months since those emails, O’Sullivan and his cofounder are now on the counterattack: The Kytch couple tells WIRED they’re planning to file a lawsuit against some McDonald’s franchisees who they believe are colluding with Taylor by handing over their Kytch devices to the ice cream machine giant and allowing them to be reverse-engineered—a violation of the franchisees’ agreement with Kytch. (Taylor denies obtaining Kytch devices but doesn’t deny trying to gain possession of one or that a Taylor distributor did ultimately access it.) The lawsuit will likely be only the first salvo from Kytch in a mounting, messy legal battle against both Taylor and McDonald’s.

But in his initial messages to me, O’Sullivan mentioned none of the details of this escalating conflict. Instead, with Hamburglar-like slyness, he dared me to pull on a loose thread that he suggested could unravel a vast conspiracy. “I think you could blow this story open by just asking a simple, very reasonable question,” O’Sullivan’s first text messages concluded: “What’s the real purpose of this hidden menu?”

The Ferrari of soft serve?

The standard Taylor digital ice cream machine in a McDonald’s kitchen is “like an Italian sports car,” as one pseudonymous franchisee who uses the Twitter nom de guerre McD Truth described it to me.

When the hundreds of highly engineered components in Taylor’s C602 are working in concert, the machine’s performance is a smooth display of efficiency and power: Like other ice cream machines, it takes in liquid ingredients through a hopper and then freezes them in a spinning barrel, pulling tiny sheets of the frozen mixture off the surface of the barrel’s cold metal with scraper blades, mixing it repeatedly to create the smallest possible ice crystals, and then pushing it through a nozzle into an awaiting cup or cone.

But the ice cream machine Taylor has invented for McDonald’s is special: It has two hoppers and two barrels, each working independently with precise settings, to produce both milkshakes and soft serve simultaneously. It uses a pump, rather than gravity like many other machines, to accelerate the flow of McFlurries and fudge sundaes: McD Truth describes selling 10 ice cream cones a minute during peak sales periods, a feat that’s impossible with other machines.

And while other ice cream machines have to be disassembled and cleaned daily—and any leftover contents discarded—McDonald’s Taylor machines use a daily “heat treatment” process designed to jack up its contents’ temperature to 151 degrees Fahrenheit, pasteurize it for a minimum of 30 minutes, and then refreeze it again in a once-a-night cycle, a modern marvel of hygiene and cost savings.

But in keeping with McD Truth’s Italian sports car analogy, these machines are also temperamental, fragile, and ridiculously overengineered. “They work great as long as everything is 100 percent perfect,” McD Truth writes. “If something isn’t 100 percent, it will cause the machine to fail.” (McDonald’s agreement with franchisees also allows them to use an actual Italian machine, sold by Bologna-based Carpigiani, that McD Truth describes as much better designed. But given that its replacement parts can take a week to arrive from Italy, far fewer restaurants buy it.)

Every two weeks, all of Taylor’s precisely engineered components have to be disassembled and sanitized. Some pieces have to be carefully lubricated. The machine’s parts include no fewer than two dozen rubber and plastic O-rings of different sizes. Leave a single one out, and the pump can fail or liquid ingredients can leak out of the machine. One McDonald’s franchisee’s tech manager told me he’s reassembled Taylor’s ice cream machines more than a hundred times, and had them work on the first try at most 10 of those times. “They’re very, very, very finicky,” he says.

The machine’s automated nightly pasteurization process, rather than make life easier for restaurant managers, has become their biggest albatross: Leave the machine with a bit too much or too little ingredient mixture in its hoppers, accidentally turn it off or unplug it at the wrong moment, or fall victim to myriad other trivial errors or acts of God, and the four-hour pasteurization process fails and offers a generic, inscrutable error message—meaning that the machine won’t work until the entire four hours of heating and freezing repeats, often in the middle of peak ice cream sales hours.

A Kytch device

The result can be hundreds of dollars in sales immediately lost. (Especially, O’Sullivan explains, during “shamrock season,” when McDonald’s offers a St. Patrick’s Day–themed mint-green milkshake that boosts shake sales as much as tenfold. “Shamrock season is a big fucking deal,” O’Sullivan emphasizes.)

Taylor sells a machine with these technical demands to businesses where they’ll ultimately be run by a bored teenager whose fast-food career is measured in weeks. So perhaps it’s no surprise that many McDonald’s restaurants’ ice cream machines seem to be as often broken as not. The website McBroken.com, which uses a bot to automatically attempt to place an online order for ice cream at every McDonald’s in America every 20 to 30 minutes and measures the results, reveals that at any given time over the past two months, somewhere between 5 and 16 percent of all US McDonald’s are unable to sell ice cream. On a typical bad day as I reported this piece, that included one out of five McDonald’s in Los Angeles, Washington, DC, and Philadelphia, one out of four in San Francisco, and three out of 10 in New York City.

Plenty of companies have fought against their own customers’ right-to-repair movements, from John Deere’s efforts to prevent farmers from accessing their own tractors’ software to Apple’s efforts to limit who can fix an iPhone. But few of those companies’ products need to be repaired quite so often as McDonald’s ice cream machines. When WIRED reached out to McDonald’s for this story, the company didn’t even attempt to defend the machines’ shambolic performance. “We understand it’s frustrating for customers when they come to McDonald’s for a frozen treat and our shake machines are down—and we’re committed to doing better,” a spokesperson wrote.

On social media, meanwhile, the McDonald’s ice cream meme has come to represent everything disappointing about modern technology, capitalism, and the human condition. When three women in Florida attacked a McDonald’s employee after learning the ice cream machine was broken in 2017, a significant fraction of the Twitter reactions sided with the attackers. McDonald’s itself tweeted from its official account last August that “we have a joke about our soft serve machine but we’re worried it won’t work,” a self-own that received nearly 29,000 likes.

On a recent evening in March, I attempted to tally the number of people who tweeted some version of the joke that they were going to spend their $1,400 Covid stimulus payment to fix their local McDonald’s ice cream machine. I lost count at 200.

Continue Reading

Trending