Welcome to Lowpass! This week: Out-of-commission Redbox kiosks contain valuable customer data, and Meta knows how to stack boxes.

Reverse-engineering reveals Redbox’s sloppy privacy practices

Have you ever rented a DVD from a Redbox kiosk? If so, then it’s possible that your rental data, along with most digits of your credit card and other personally identifiable information, is now in the hands of strangers. New findings from a hacker who has been examining the data stored on the hard drive of one of the kiosks reveal that the company apparently kept copies of detailed data of some transactions for years without proper safeguards.

Bay Area-based reverse engineering enthusiast Foone Turing recently got her hands on the disk image of a Redbox kiosk hard drive, and discovered that it included a file with detailed rental data for around 2500 transactions going back nearly a decade.

“[It] contains records for when stuff is rented [including] email addresses, DVD/bluray titles, times, zip codes,” Foone told me via email. With that data, she was able to easily identify someone who rented the movie The Maze Runner from a Redbox kiosk in Morgantown, North Carolina in May of 2015.

But that’s not all: Rebox apparently also saved some payment data on those drives. “The device talks to a secure payment transaction device (so there's no logs of full credit info) but it logs a bunch of stuff that it really shouldn't: We've got the first 6 and last 4 [digits] of each credit card used, plus some lower level transaction details,” Foone said.

I recently wrote a story for Sherwood News about Redbox’s chaotic final chapter: The company went bankrupt this summer and is slated to be liquidated, but most of its assets are in a holding pattern as the company’s main creditor, its original owner and a court-appointed trustee struggle to agree on a path forward.

Meanwhile, the bankruptcy court overseeing Redbox’s liquidation has given retailers the go-ahead to get rid of thousands of kiosks remaining on their properties. That’s a risky move, as a company called Automated Kiosk Advisors pointed out in a court filing in August, cautioning that kiosk hard drives could contain “credit/debit card data, email addresses, zip codes, customer names and associated movie rental history.”

Turns out they do, if only for a subset of transactions. The reason the hard drive examined by Foone only logged around 2500 rentals over a span of a decade is not an indictment of Redbox’s business. The company used to move millions of DVDs a week, and surpassed $1 billion in revenue in 2018.

Instead, it’s likely that Redbox’s kiosk only logged this type of data locally when they were offline. If, for instance, a storm knocked out internet access, a kiosk could still rent DVDs, and then simply sync transaction and billing data when it regained access to the internet.

Still, by not properly encrypting and regularly scrubbing this type of data, Redbox may have violated a number of laws and regulations. For instance, the payment industry’s security policies demand that companies safeguard encryption keys against misuse – something that Redbox apparently didn’t do. What’s more, the Video Privacy Protection Act requires companies to prevent the “wrongful disclosure of video tape rental or sale records,” and imposes fines if they don’t.

Granted, in Redbox’s case, it’s unlikely that anyone would be able to collect such fines. Redbox’s corporate parent Chicken Soup for the Soul Entertainment filed for Chapter 7 bankruptcy, which essentially means that there is no company left to be held liable.

Still, there are tens of thousands of Redbox kiosks still out there, possibly holding millions of rental records. It’s the leaking of those records that worries Foone the most. “The first machine I looked at data for was from North Carolina, near where I'm from,” she told me via email. “When I last lived there, I lived near a store with a Redbox, and one day a guy got beaten up there for ‘looking gay’ (he, incidentally, was not gay). It wouldn't be hard to cross-reference these rental records against a list of movies, and find new targets for people to beat up.”

A tale of two boxes: How Meta is getting smarter about selling hardware

Whenever people debate the next big thing after the smartphone, you’ll likely hear someone make the following argument: Meta can’t possibly compete against companies like Apple and Google in AR because it simply has no experience making hardware.

There’s some truth to that: Meta doesn’t have nearly the same track record as Apple in particular, which has sold north of 2.3 billion iPhones, and countless additional iPads, computers and more. However, Meta has been selling tens of millions of Quest headsets over the past couple of years, and closely observing the evolution of the device line tells you quite a bit about the ways the company is adapting the realities of the hardware business.

Meta recently sent me a Quest 3s review unit. I will have more to say about the device itself in the coming weeks. Today, I want to focus on something else entirely that caught my eye when I first opened the package: The Quest 3s comes in an incredibly compact cardboard box. Its surface area is about the size of a magazine cover, and the box is about as tall as a CD case standing up. 

Or, in more precise terms: The 256 GB Quest 3s box is about 8.7 x 9.7 x 4.7 inches. That is significantly smaller than its predecessors: The Quest 2 box measured 16.4 x 7.6 x 5 inches, and the box for the original Oculus Quest came in at 14.5 x 9 x 5.5 inches.

Box sizes matter for a whole range of reasons when it comes to consumer electronics: Smaller boxes are cheaper to make, cost less in shipping when sold directly to consumers, and take up less shelf space in retail stores. In the case of the Quest, one front-facing Quest 2 box took up almost as much shelf space as two Quest 3s boxes.

The difference is just as stark when it comes to importing hardware from overseas: A standard pallet holds 126 Quest 2 packages, according to this handy pallet calculator. The same pallet  has room for 200 Quest 3s packages, meaning that Meta can ship close to 60% more Quest 3s packages with the same cargo space. (This is obviously just an example calculation, actual dimensions of pallets and container space used by the company may vary.)

This isn’t the first time Meta is using a small box like this. The Quest 3, released last year, fits into an even more compact box, likely because of a smaller body enabled by its fisheye lens optics. This shows how Meta has been getting smarter about making hardware over the past couple of years.

When the company released its first Oculus Quest in 2019, it was overwhelmed by the demand, to the point where some consumers had issues finding a headset for months. With the Quest 2, Meta largely solved the supply issues, leading to reported sales of 20 million units. The latest tweaks to the headset’s packaging show that the company is ready to once again move large volumes of the Quest 3 and Quest 3s.

What else

HoloLens cost Microsoft billions of dollars. Business Insider was told by a source that the company spent around $5 billion on the AR headset.

Spotify brings music videos to many more markets. Subscribers in close to 100 countries can now watch music videos on Spotify.

Apple’s Vision Pro got just ten new native apps last month. Developer interest in the headset has slowed down significantly, according to Appfigures data.

Samsung smart TVs are getting a new UI. The company’s Tizen-based TV sets are getting a UI refresh that more closely aligns them with Samsung phones and tablets.

Meet u/KeithFromSonos. An interesting interview about a super smart strategy: Sonos has had an employee participating in the main Sonos Subreddit for years. That role has become even more important following the app screw-up earlier this year.

DirecTV is launching a free streaming service called MyFree DirecTV. Soon, they’ll be able to merge it with Dish’s free Sling TV tier, I guess.

Prime Video ads are expanding internationally. Prime Video subscribers will have to endure ads (or pay more not to) in Japan, Brazil, India, the Netherlands and New Zealand next year.

Apple could release a new headset as early as next year. The Vision non-Pro (Air? S?) is expected to cost around $2000, according to Mark Gurman.

That’s it

Well this is sad: Laser Dance, one of the most-anticipated mixed reality games of the year, has been delayed until 2025. UploadVR has all the details. So … what mixed reality game should I play now? Feel free to send me your recommendations by responding to this email.

Thanks for reading, have a great weekend!