Menu

Timesdelhi.com

May 27, 2019
Category archive

Politics - page 2

Thousands of vulnerable TP-Link routers at risk of remote hijack

in california/computing/cybercrime/Cyberwarfare/Delhi/dns/dyn/gps/Hardware/India/Politics/Router/search engines/Security/spokesperson/telecommunications/United Kingdom/United States by

Thousands of TP-Link routers are vulnerable to a bug that can be used to remotely take control the device, but it took over a year for the company to publish the patches on its website.

The vulnerability allows any low-skilled attacker to remotely gain full access to an affected router. The exploit relies on the router’s default password to work, which many don’t change.

In the worst case scnario, an attacker could target vulnerable devices on a massive scale, using similar mechanism to how botnets like Mirai worked — by scouring the web and hijacking routers using default passwords like “admin” and “pass”.

Andrew Mabbitt, founder of U.K. cybersecurity firm Fidus Information Security, first discovered and disclosed the remote code execution bug to TP-Link in October 2017. TP-Link released a patch a few weeks later for the vulnerable WR940N router, but Mabbitt warned TP-Link again in January 2018 that another router, TP-Link’s WR740N, was also vulnerable to the same bug because the company reused vulnerable code between devices.

TP-Link said the vulnerability was quickly patched in both routers. But when we checked, the firmware for WR740N wasn’t available on the website.

When asked, a TP-Link spokesperson said the update was “currently available when requested from tech support,” but wouldn’t explain why. Only after TechCrunch reached out, TP-Link updated the firmware page to include the latest security update.

Top countries with vulnerable WR740N routers. (Image: Shodan)

Routers have long been notorious for security problems. At the heart of any network, any flaw affecting a router can have disastrous effects on every connected device. By gaining complete control over the router, Mabbitt said an attacker could wreak havoc on a network. Modifying the settings on the router affects everyone who’s connected to the same network, like altering the DNS settings to trick users into visiting a fake page to steal their login credentials.

TP-Link declined to disclose how many potentially vulnerable routers it had sold, but said that the WR740N had been discontinued a year earlier in 2017. When we checked two search engines for exposed devices and databases, Shodan and Binary Edge, each suggested there are anywhere between 129,000 and 149,000 devices on the internet — though the number of vulnerable devices is likely far lower.

Mabbitt said he believed TP-Link still had a duty of care to alert customers of the update if thousands of devices are still vulnerable, rather than hoping they will contact the company’s tech support.

Both the U.K. and the U.S. state of California are set to soon require companies to sell devices with unique default passwords to prevent botnets from hijacking internet-connected devices at scale and using their collective internet bandwidth to knock websites offline.

The Mirai botnet downed Dyn, a domain name service giant, which knocked dozens of major sites offline for hours — including Twitter, Spotify and SoundCloud.

Read more:

Now at Google, Facebook’s former teen-in-residence launches new social game Emojishot

in Apps/Area 120/Delhi/game/Gaming/Google/India/Michael Sayman/Politics/Social by

Facebook’s former teen-in-residence Michael Sayman, now at Google, is back today with the launch of a new game: Emojishot, an emoji-based guessing game for iOS, built over the past ten weeks within Google’s in-house incubator, Area 120.

The game, which is basically a version of charades using emoji characters, is notable because of its creator.

By age 17, Sayman had launched five apps and had become Facebook’s youngest-ever employee. Best known for his hit game 4 Snaps, the developer caught Mark Zuckerberg’s eye, earning him a demo spot on stage at Facebook’s F8 conference. While at Facebook, Sayman built Facebook’s teen app Lifestage — a Snapchat-like standalone project which allowed the company to explore new concepts around social networking aimed at a younger demographic.

Lifestage was shut down two years ago, and Sayman defected to Google shortly afterward. At Google, he was rumored to be heading up an internal social gaming effort called Arcade where gamers played using accounts tied to their phone numbers — not a social network account.

At the time, HQ Trivia was still a hot title, not a novelty from a struggling startup — and the new gaming effort looked liked Google’s response. However, Arcade has always been only an Area 120 project, we understand.

To be clear, that means it’s not an official Google effort — as an Area 120 project, it’s not associated with any of Google’s broader efforts in gaming, social or anything else. Area 120 apps and services are instead built by small teams who are personally interested in pursuing an idea. In the case of Emojishot, it was Sayman’s own passion project.

Emojishot itself is meant to be played with friends, who take turns using emoji to create a picture so friends can guess the word. For example, the game’s screenshots show the word “kraken” may be drawn using an octopus, boat and arrow emojis. The emojis are selected from a keyboard below and can be resized to create the picture. This resulting picture is called the “emojishot,” and can also be saved to your Camera Roll.

Players can pick from a variety of words that unlock and get increasingly difficult as you successfully progress through the game. The puzzles can also be shared with friends to get help with solving, and there’s a “nudge” feature to encourage a friend to return to the game and play.

According to the game’s website, the idea was to make a fun game that explored emojis as art and a form of communication.

Unfortunately, we were unable to test it just yet, as the service wasn’t up-and-running at the time of publication. (The game is just now rolling out so it may not be fully functional until later today).

While there are other “Emoji Charades” games on the App Store, the current leading title is aimed at playing with friends at a party on the living room TV, not on phones with friends.

Sayman officially announced Emojishot today, noting his efforts at Area 120 and how the game came about.

“For the last year, I’ve been working in Area 120, Google’s workshop for experimental products. I’ve been exploring and rapidly prototyping a bunch of ideas, testing both internally and externally,” he says. “Ten weeks ago, we came up with the idea for an emoji-based guessing game. After a lot of testing and riffing on the idea, we’re excited that the first iteration — Emojishot — is now live on the iOS App Store…We’ve had a lot of fun with it and are excited to open it up to a wider audience,” Sayman added.

He notes that more improvements to the game will come over time, and offered to play with newcomers via his username “michael.”

The app is available to download from the U.S. iOS App Store here. An Android waitlist is here.

 

Meet Projector, collaborative design software for the Instagram age

in Brown University/canva/Defy Ventures/Delhi/engineer/India/instagram/mad doc software/Mark Suster/mayfield/microsoft powerpoint/operating systems/Politics/presentation software/product management/San Francisco/social media/Software/Startups/Twitter/upfront ventures/Venture Capital by

Mark Suster of Upfront Ventures bonded with Trevor O’Brien in prison. The pair, Suster was quick to clarify, were on site at a correctional facility in 2016 to teach inmates about entrepreneurship as part of a workshop hosted by Defy Ventures, a nonprofit organization focused on addressing the issue of mass incarceration.

They hit it off, sharing perspectives on life and work, Suster recounted to TechCrunch. So when O’Brien, a former director of product management at Twitter, mentioned he was in the early days of building a startup, Suster listened.

Three years later, O’Brien is ready to talk about the idea that captured the attention of the Bird, FabFitFun and Ring investor. It’s called Projector.

It’s the brainchild of a product veteran (O’Brien) and a gaming industry engineer turned Twitter’s vice president of engineering (Projector co-founder Jeremy Gordan), a combination that has given way to an experiential and well-designed platform. Projector is browser-based, real-time collaborative design software tailored for creative teams that feels and looks like a mix of PowerPoint, Google Docs and Instagram . Though it’s still months away from a full-scale public launch, the team recently began inviting potential users to test the product for bugs.

We want to reimagine visual communication in the workplace by building these easier to use tools and giving creative powers to the non-designers who have great stories to tell and who want to make a difference,” O’Brien told TechCrunch. “They want change to happen and they need to be empowered with the right kinds of tools.”

Today, Projector is a lean team of 13 employees based in downtown San Francisco. They’ve kept quiet since late 2016 despite closing two rounds of venture capital funding. The first, a $4 million seed round, was led by Upfront’s Suster, as you may have guessed. The second, a $9 million Series A, was led by Mayfield in 2018. Hunter Walk of Homebrew, Jess Verrilli of #Angels and Nancy Duarte of Duarte, Inc. are also investors in the business, among others.

O’Brien leads Projector as chief executive officer alongside co-founder and chief technology officer Gordon. Years ago, O’Brien was pursuing a PhD in computer graphics and information visualization at Brown University when he was recruited to Google’s competitive associate product manager program. He dropped out of Brown and began a career in tech that would include stints at YouTube, Twitter, Coda and, finally, his very own business.

O’Brien and Gordan crossed paths at Twitter in 2013 and quickly realized a shared history in the gaming industry. O’Brien had spent one year as an engineer at a games startup called Mad Doc Software, while Gordon had served as the chief technology officer at Sega Studios. Gordan left Twitter in 2014 and joined Redpoint Ventures as an entrepreneur-in-residence before O’Brien pitched him on an idea that would become Projector.

Projector co-founders Jeremy Gordan (left), Twitter’s former vice president of engineering, and Trevor O’Brien, Twitter’s former director of product management

“We knew we wanted to create a creative platform but we didn’t want to create another creative platform for purely self-expression, we wanted to do something that was a bit more purposeful,” O’Brien said. “At the end of the day, we just wanted to see good ideas succeed. And with all of those good ideas, succeeding typically starts with them being presented well to their audience.”

Initially, Projector is targeting employees within creative organizations and marketing firms, who are frequently tasked with creating visually compelling presentations. The tool suite is free for now and will be until it’s been sufficiently tested for bugs and has fully found its footing. O’Brien says he’s not sure just yet how the team will monetize Projector, but predicts they’ll adopt Slack’s per user monthly subscription pricing model.

As original and user-friendly as it may be, Projector is up against great competition right out of the gate. In the startup landscape, it’s got Canva, a graphic design platform valued at $2.5 billion earlier this week with a $70 million financing. On the old-guard, it’s got Adobe, which sells a widely used suite of visual communication and graphic design tools. Not to mention Prezi, Figma and, of course, Microsoft’s PowerPoint, which is total crap but still used by millions of people.

There are many tools scratching at the surface, but there’s not one visual communications tool that wins them all,” Suster said of his investment in Projector.

Projector is still in its very early days. The company currently has just two integrations: Unsplash for free stock images and Giphy for GIFs. O’Brien would eventually like to incorporate iconography, typography and sound to liven up Projector’s visual presentation capabilities.

The ultimate goal, aside from generally improving workplace storytelling, is to make crafting presentations fun, because shouldn’t a corporate slideshow or even a startup’s pitch be as entertaining as scrolling through your Instagram feed?

“We wanted to try to create something that doesn’t feel like work,” O’Brien said.

Throw out your diary, Jour is a new app for guided journaling

in Apps/Delhi/India/journaling/Politics/Startups/Venture Capital by

Since Jour, a new app for private and portable journaling, dropped on the App Store two months ago, it’s racked up 80,000 users. No paid marketing or public announcements. Just organic interest in discovering a better way of journaling than pen to paper.

“We can reinvent and redesign what we call journaling and the journal,” Jour co-founder and chief executive officer Maxime Germain told TechCrunch. “If we do it right, it will go mainstream.”

New York-based Jour has raised a $1.8 million seed round from True Ventures’ Kevin Rose. Similar to the meditation apps that have skyrocketed in popularity recently, Jour’s audio-guided sequences are meant to facilitate the journaling process and encourage writers to mindfully reflect and record their lives. With its seed funding, Jour will expand its library of audio sessions and written questions meant to spark inspiration.

“Meditation apps have shown there are some self-care habits we can use in our life to feel better, to feel less anxious,” Germain, a French native who relocated to New York seven years ago, said. “But the journal is a way to capture moments and people’s authentic selves. It’s all the stuff you might not be sharing on social media.”

Jour, at its core, is an app battling mental illness. The business joins a number of other well-being apps and venture-backed startups targeting the mental health crisis. From brick-and-mortar therapy clinics to chat apps to emotional wellness assistants, venture capitalists are waking up to the emotional struggles rampant across the globe.

“Ten years ago when I first started using meditation apps I think there was a certain type of stigma; like you need help so you’re meditating,” True Venture’s Rose, a founder of Digg, Oak, a guided meditation app, and Zero, an app for tracking intermittent fasting, told TechCrunch. “Now, it’s just crossed over to the mainstream.”

“I’m hopeful we are finally getting to a point where we can have open conversations about mental health,” Rose added.

Jour co-founders (from left to right) Maxime Germain, Justin Bureau and Bobby Giangeruso

As Jour deals with an influx of new users, it’s keeping the entire app and all of its features free, though eventually, the team plans to add a paywall to some of the guided content. As for anyone concerned about the safety of your anxieties, hopes and dreams, Jour’s founding team, which includes Germain, Bobby Giangeruso and Justin Bureau, built the app with zero-knowledge encryption.

“I would feel very uncomfortable if the rest of the people on my team could read my most intimate thoughts,” Germain explained. “We built [Jour] with an encryption key that stays on the phone, all the data is encrypted with that key and if you lose that key we can’t recover the entries that we save on the servers. Only you have access to that key, it’s stored on the phone, it encrypts the data and even if the data is compromised we can’t get it.”

Phew. The last thing we need today is our diaries getting hacked.

London’s Tube network to switch on wi-fi tracking by default in July

in api/controlled/Delhi/encryption/Europe/European Union/India/London/London Underground/MAC Address/Mayor/mobile devices/Politics/privacy/Security/smartphone/transport for london/Transportation/United Kingdom/wi-fi/wireless networking by

Transport for London will roll out default wi-fi device tracking on the London Underground this summer, following a trial back in 2016.

In a press release announcing the move, TfL writes that “secure, privacy-protected data collection will begin on July 8” — while touting additional services, such as improved alerts about delays and congestion, which it frames as “customer benefits”, as expected to launch “later in the year”.

As well as offering additional alerts-based services to passengers via its own website/apps, TfL says it could incorporate crowding data into its free open-data API — to allow app developers, academics and businesses to expand the utility of the data by baking it into their own products and services.

It’s not all just added utility though; TfL says it will also use the information to enhance its in-station marketing analytics — and, it hopes, top up its revenues — by tracking footfall around ad units and billboards.

Commuters using the UK capital’s publicly funded transport network who do not want their movements being tracked will have to switch off their wi-fi, or else put their phone in airplane mode when using the network.

To deliver data of the required detail, TfL says detailed digital mapping of all London Underground stations was undertaken to identify where wi-fi routers are located so it can understand how commuters move across the network and through stations.

It says it will erect signs at stations informing passengers that using the wi-fi will result in connection data being collected “to better understand journey patterns and improve our services” — and explaining that to opt out they have to switch off their device’s wi-fi.

Attempts in recent years by smartphone OSes to use MAC address randomization to try to defeat persistent device tracking have been shown to be vulnerable to reverse engineering via flaws in wi-fi set-up protocols. So, er, switch off to be sure.

We covered TfL’s wi-fi tracking beta back in 2017, when we reported that despite claiming the harvested wi-fi data was “de-personalised”, and claiming individuals using the Tube network could not be identified, TfL nonetheless declined to release the “anonymized” data-set after a Freedom of Information request — saying there remains a risk of individuals being re-identified.

As has been shown many times before, reversing ‘anonymization’ of personal data can be frighteningly easy.

It’s not immediately clear from the press release or TfL’s website exactly how it will be encrypting the location data gathered from devices that authenticate to use the free wi-fi at the circa 260 wi-fi enabled London Underground stations.

Its explainer about the data collection does not go into any real detail about the encryption and security being used. (We’ve asked for more technical details.)

“If the device has been signed up for free Wi-Fi on the London Underground network, the device will disclose its genuine MAC address. This is known as an authenticated device,” TfL writes generally of how the tracking will work.

“We process authenticated device MAC address connections (along with the date and time the device authenticated with the Wi-Fi network and the location of each router the device connected to). This helps us to better understand how customers move through and between stations — we look at how long it took for a device to travel between stations, the routes the device took and waiting times at busy periods.”

“We do not collect any other data generated by your device. This includes web browsing data and data from website cookies,” it adds, saying also that “individual customer data will never be shared and customers will not be personally identified from the data collected by TfL”.

In a section entitled “keeping information secure” TfL further writes: “Each MAC address is automatically depersonalised (pseudonymised) and encrypted to prevent the identification of the original MAC address and associated device. The data is stored in a restricted area of a secure location and it will not be linked to any other data at a device level.  At no time does TfL store a device’s original MAC address.”

Privacy and security concerns were raised about the location tracking around the time of the 2016 trial — such as why TfL had used a monthly salt key to encrypt the data rather than daily salts, which would have decreased the risk of data being re-identifiable should it leak out.

Such concerns persist — and security experts are now calling for full technical details to be released, given TfL is going full steam ahead with a rollout.

 

A report in Wired suggests TfL has switched from hashing to a system of tokenisation – “fully replacing the MAC address with an identifier that cannot be tied back to any personal information”, which TfL billed as as a “more sophisticated mechanism” than it had used before. We’ll update as and when we get more from TfL.

Another question over the deployment at the time of the trial was what legal basis it would use for pervasively collecting people’s location data — since the system requires an active opt-out by commuters a consent-based legal basis would not be appropriate.

In a section on the legal basis for processing the Wi-Fi connection data, TfL writes now that its ‘legal ground’ is two-fold:

  • Our statutory and public functions
  • to undertake activities to promote and encourage safe, integrated, efficient and economic transport facilities and services, and to deliver the Mayor’s Transport Strategy

So, presumably, you can file ‘increasing revenue around adverts in stations by being able to track nearby footfall’ under ‘helping to deliver (read: fund) the mayor’s transport strategy’.

(Or as TfL puts it: “[T]he data will also allow TfL to better understand customer flows throughout stations, highlighting the effectiveness and accountability of its advertising estate based on actual customer volumes. Being able to reliably demonstrate this should improve commercial revenue, which can then be reinvested back into the transport network.”)

On data retention it specifies that it will hold “depersonalised Wi-Fi connection data” for two years — after which it will aggregate the data and retain those non-individual insights (presumably indefinitely, or per its standard data retention policies).

“The exact parameters of the aggregation are still to be confirmed, but will result in the individual Wi-Fi connection data being removed. Instead, we will retain counts of activities grouped into specific time periods and locations,” it writes on that.

It further notes that aggregated data “developed by combining depersonalised data from many devices” may also be shared with other TfL departments and external bodies. So that processed data could certainly travel.

Of the “individual depersonalised device Wi-Fi connection data”, TfL claims it is accessible only to “a controlled group of TfL employees” — without specifying how large this group of staff is; and what sort of controls and processes will be in place to prevent the risk of A) data being hacked and/or leaking out or B) data being re-identified by a staff member.

A TfL employee with intimate knowledge of a partner’s daily travel routine might, for example, have access to enough information via the system to be able to reverse the depersonalization.

Without more technical details we just don’t know. Though TfL says it worked with the UK’s data protection watchdog in designing the data collection with privacy front of mind.

“We take the privacy of our customers very seriously. A range of policies, processes and technical measures are in place to control and safeguard access to, and use of, Wi-Fi connection data. Anyone with access to this data must complete TfL’s privacy and data protection training every year,” it also notes elsewhere.

Despite holding individual level location data for two years, TfL is also claiming that it will not respond to requests from individuals to delete or rectify any personal location data it holds, i.e. if people seek to exercise their information rights under EU law.

“We use a one-way pseudonymisation process to depersonalise the data immediately after it is collected. This means we will not be able to single out a specific person’s device, or identify you and the data generated by your device,” it claims.

“This means that we are unable to respond to any requests to access the Wi-Fi data generated by your device, or for data to be deleted, rectified or restricted from further processing.”

Again, the distinctions it is making there are raising some eyebrows.

What’s amply clear is that the volume of data that will be generated as a result of a full rollout of wi-fi tracking across the lion’s share of the London Underground will be staggeringly massive.

More than 509 million “depersonalised” pieces of data, were collected from 5.6 million mobile devices during the four-week 2016 trial alone — comprising some 42 million journeys. And that was a very brief trial which covered a much smaller sub-set of the network.

As big data giants go, TfL is clearly gunning to be right up there.

Go to Top