ACCUEIL > RSS > TECHNOLOGY > TechCrunch

R S S : TechCrunch


PageRank : 2 %

VoteRank :
(0 - 0 vote)





tagsTags: , , , , , , , , , , , , ,


English

LECTEUR FLUX RSS



Bored of the coins

17 novembre, par Jon Evans[ —]

Something strange is afoot in the world of cryptocurrencies. For the first time since Satoshi dropped Bitcoin on us like a benevolent bomb, this painfully new, highly bizarre field has become … well … boring. The true believers will tell you that great strides are being made, and the mainstream breakthrough is just around the corner, but they’ve been saying that for long enough that it’s beginning to seem reasonable to start wondering if these wolves were ever real.

I know, I know, it seems especially weird to be saying this at the same time that the President of China and CEO of Facebook have both become blockchain advocates. But China’s cryptocurrency, if it happens, will be a panopticoin, a tool to centralize monetary control even more firmly in the hands of the Communist Party, nothing like the decentralized censorship-resistant programmable money that the crypto community is theoretically all about; and Facebook’s, while making technical progress, keeps losing partners and gaining enemies.

The crypto community is currently all agog about “DeFi,” for decentralized finance, a movement which basically expands cryptocurrencies from “censorship-resistant money” to “censorship-resistant financial instruments,” such as collateralized loans and interest-bearing investments, along with “staking” (not really DeFi, but often treated as it.) Inside the crypto world, this seems like a revolution which will one day replace Wall Street. Outside the crypto world, it seems … a little like monks debating how many angels can dance on the end of a pin, one that no one is actually using and nobody outside the monastery cares about.

It’s easy to get the impression the cryptocurrency world has sacrificed technical engineering in favor of financial engineering. It’s easy to see them as having abandoned “banking the unbanked,” the alleged initial noble goal of many, to “offering sophisticated financial instruments to the unbanked,” long before any of those famous unbanked have actually been, you know, banked. And I’m sorry to report that you wouldn’t be entirely wrong.

But there are real technical advances being made. It’s just that they’re mostly slow and behind the scenes, and in the interim, the community’s “MOPs and sociopaths” have seized on DeFi.

There is some visible progress. ZCash is making apparent breakthroughs in important, foundational cryptographic research. Tezos continues to upgrade its governance algorithms — modify its code constitution, basically — successfully.

On the application layer, I’m interested in Vault12, which uses “friends and family to safeguard crypto assets” — basically, instead of entrusting the secret keys which control your cryptocurrencies to a third party like an exchange, something not particularly different from traditional banking, you protect them among people you trust, so that some number of them can collaborate with you to recover your keys if they’re lost, using a cryptographic protocol known as Shamir’s Secret Sharing. Luminaries such as Vitalik Buterin and Christopher Allen have argued for “social key recovery” for some time, and it’s interesting to see it offered by a slick new Valley startup.

But a lot of what’s happening is more fundamental, in search of the ability to support many more transactions than today’s blockchains. The entire foundation of today’s second-leading cryptocurrency, Ethereum, is being torn apart and replaced wholesale, in search of “Ethereum 2.0.” Bitcoin remains much more stable and conservative, but a whole new story is being added to its foundations, the Lightning Network. Both make me uneasy. A fundamental rewrite is always worrying. Lightning may scale, but it is if anything even more user-hostile than Bitcoin, basically the cryptocurrency equivalent of a hard-to-use prepaid credit card. Still, the permissionless equivalent of prepaid credit cards would be good for the unbanked that everyone’s clearly so worried about, right?

I’m also uneasy because almost all blockchain scaling solutions — Lightning, sharding, Plasma, optimistic rollup, etc. — turn fundamental blockchain security from something relatively passive (check the hashes and use the chain with the most computational power) to something active (“watchtowers,” “fraud proofs.”) This seems to me to increase the security attack surface a lot.

All these issues may yet be solved. Sure. But at the same time, it feels like dissonance between the attitude inside the crypto bubble and that of mundanes may never have been greater. Meanwhile, the dark spectre of Tether hangs over the entire industry. OK, circumstantial evidence is inadmissible for good reason … but there sure is a lot of it.

I’ve argued before that “ongoing associations with a cloud of crazy scandal and hangers-on snake-oil salespeople — all of which would be catastrophic signs for, say, a traditional new startup — can actually be indicators of the strength, not weakness” of the cryptocurrency movement …

…but at some point, your religion — or “brain virus,” as Naval Ravikant once called cryptocurrencies — has to begin to appeal to people who do not actually live on your compound, or else you are going to be remain a cult and wither out. When is that going to happen? Is that going to happen? The answer remains no clearer than it was five years ago.


China Roundup: Alibaba’s Hong Kong listing and Tencent’s new fuel

17 novembre, par Rita Liao[ —]

Hello and welcome back to TechCrunch’s China Roundup, a digest of recent events shaping the Chinese tech landscape and what they mean to people in the rest of the world. The earnings season is here. This week, long-time archrivals in the Chinese internet battlefield — Alibaba and Tencent — made some big revelations about their future. First off, let’s look at Alibaba’s long-awaited secondary listing and annual shopping bonanza.

Forget about the number

It’s that time of year. On November 11, Alibaba announced it generated $38.4 billion worth of gross merchandise value during the annual Single’s Day shopping festival, otherwise known as Double 11. It smashed the record and grabbed local headlines again, but the event means little other than a big publicity win for the company and showcasing the art of drumming up sales.

GMV is often used interchangeably with sales in e-commerce. That’s problematic because the number takes into account all transactions, including refunded items, and it’s by no means reflective of a company’s actual revenue. There are numerous ways to juice the figure, too, as I wrote last year. Presales began days in advance, incentives were doled out to spur last-minute orders and no refunds could be processed until November 12.

Even Jiang Fan, the boss of Alibaba’s e-commerce business and the youngest among Alibaba’s 38 most important decision-makers, downplayed the number: “I never worry about transaction volumes. Numbers don’t matter. What’s most important is making Single’s Day fun and turning it into a real festival.”

Indeed, Alibaba put together another year of what’s equivalent to the Super Bowl halftime show. Taylor Swift and other international big names graced the stage as the evening gala was live-streamed and watched by millions across the globe.

Returning home

Alibaba is going ahead with its secondary listing in Hong Kong on the heels of reports that it could delay the sale due to ongoing political unrest in the city-state. The company is cash-rich, but listing closer to its customers can potentially ease some of the pressure arising from a new era of volatile U.S.-China relationships.

Alibaba is issuing 500 million new shares with an additional over-allotment option of 75 million shares for international underwriters, it said in a company blog. Reports have put the size of its offering between $10 billion and $15 billion, down from the earlier rumored $20 billion.

The giant has long expressed it intends to come home. In 2014, the e-commerce behemoth missed out on Hong Kong because the local exchange didn’t allow dual-class structures, a type of organization common in technology companies that grants different voting rights for different stocks. The giant instead went public in New York and raised the largest initial public offering in history at $25 billion.

“When Alibaba Group went public in 2014, we missed out on Hong Kong with regret. Hong Kong is one of the world’s most important financial centers. Over the last few years, there have been many encouraging reforms in Hong Kong’s capital market. During this time of ongoing change, we continue to believe that the future of Hong Kong remains bright. We hope we can contribute, in our small way, and participate in the future of Hong Kong,” said chairman and chief executive Daniel Zhang in a statement.

Missing out on Alibaba had also been a source of remorse for the Stock Exchange of Hong Kong. Charles Li, chief executive of the HKEX, admitted that losing Alibaba to New York had compelled the bourse to reform. The HKEX has since added dual-class shares and attracted Chinese tech upstarts such as smartphone maker Xiaomi and local services platform Meituan Dianping.

Tencent’s new fuel

Content and social networks have been the major revenue drivers for Tencent since its early years, but new initiatives are starting to gain ground. In the third quarter ended September 30, Tencent’s “fintech and business services” unit, which includes its payments and cloud services, became the firm’s second-largest sales avenue trailing the long-time cash cow of value-added services, essentially virtual items sold in games and social networks.

Payments, in particular, accounted for much of the quarterly growth thanks to increased daily active consumers and number of transactions per user. That’s good news for the company, which said back in 2016 that financial services would be its new focus (in Chinese) alongside content and social. The need to diversify became more salient in recent times as Tencent faces stricter government controls over the gaming sector and intense rivalry from ByteDance, the new darling of advertisers and owner of TikTok and Douyin.

Tencent also broke out revenue for cloud services for the first time. The unit grew 80% year-on-year to rake in 4.7 billion yuan ($670 million) and received a great push as the company pivoted to serve more industrial players and enterprises. Alibaba’s cloud business still leads the Chinese market by a huge margin, with revenue topping $1.3 billion during the September quarter.

Also worth your attention…

Luckin Coffee, the Chinese startup that began as a Starbucks challenger, is starting to look more like a convenient store chain with delivery capacities as it continues to increase store density (a combination of seated cafes, pickup stands and delivery kitchens) and widen product offerings to include a growing snack selection. Though bottom-line loss continued in the quarter, store-level operating profit swung to $26.1 million from a loss in the prior-year quarter. 30 million customers have purchased from Luckin, marking an increase of 413.4% from 6 million a year ago.

Minecraft is on the brink of 300 million registered users in China, its local publisher Netease announced at an event this week. That’s a lot of players, but not totally unreasonable given the game is free-to-play in the country with in-game purchases, so users can easily own multiple accounts. Outside China, the game has sold over 180 million paid copies, according to gaming analyst Daniel Ahmed from Niko Partners.

Xiaomi founder Lei Jun is returning a huge favor by backing a long-time friend. Xpeng Motors, the Chinese electric vehicle startup financed by Alibaba and Foxconn, has received $400 million in capital from a group of backers who weren’t identified except Xiaomi, which became its strategic investor. The marriage would allow Xpeng cars to tap Xiaomi’s growing ecosystem of smart devices, but the relationship dates further back. Lei was an early investor in UCWeb, a browser company founded by He and acquired by Alibaba in 2014. A day after Xiaomi’s began trading in Hong Kong in mid-2018, He wrote on his WeChat feed that he had bought $100 million worth of Xiaomi shares (in Chinese) in support of his old friend.


The man behind Bezos’ next lunar guidance system talks future tech

17 novembre, par Mike Butcher[ —]

Draper, the MIT spin-off engineering lab, is famed for developing the Apollo 11 Guidance Computer (not Draper Esprit, I hasten to add). Ken Gabriel, President and CEO, also recently made a major announcement. Blue Origin has now partnered with Lockheed Martin and Northrop Grumman to build elements of the company’s human-rated lunar lander, and Draper will lead the development of the lander’s avionics and guidance systems, with an aim to be ready to land a crew on the moon by 2024.

“While Blue Origin is the prime contractor, Lockheed Martin is building the ascent stage, Northrop Grumman is building the transfer element and Draper is doing the GNC (guidance, navigation and control),” Blue Origin CEO and founder Jeff Bezos said, announcing the move at the International Astronautical Congress in Washington. Blue Origin is competing for a NASA contract to develop a crewed lunar lander, or Human Landing System, for the Artemis program, which aims to return astronauts to the surface of the moon by the end of 2024.

TechCrunch sat down to chat with Gabriel, who previously he co-founded Google’s Advanced Technology and Projects (ATAP) group, to tlak about what he sees coming up in the future for the most advanced technologies. Prior to this, he was Deputy and Acting Director of the famed DARPA in the U.S. Department of Defense. During his tenure, DARPA advanced capabilities in hypersonics, offensive and defensive cyber, and big data analytics for intelligence and national security.


Iran shuts down country’s internet in the wake of fuel protests

17 novembre, par Ingrid Lunden[ —]

Iran, one of the countries most strongly identified with the rise cyber terrorism and malicious hacking, appears now to be using an iron fist to turn on its own. The country has reportedly shut down nearly all internet access in the country in retaliation to escalating protests that were originally ignited by a rise in fuel prices, according to readings taken by NetBlocks, an NGO that monitors cybersecurity and internet governance around the world.

The last reports of outages came from yesterday (Saturday) evening, so we have contacted NetBlocks to get a more updated picture.

So far, the picture looks pretty bleak. Babak Taghvaee, a defense analyst and historian who is not based in Iran who has been posting some videos of the protest skirmishes, confirms to me that his own internet communication lines with contacts have also been broken, with phones still working, albeit with monitoring from the State.

Internet is completely shut-down and I can’t communicate [with] anyone,” he said. “People just can call abroad (just certain countries) using telephone which is being monitored.”

Currently, using Twitter as one marker, it seems that there are at least some people sending out media and messages from the country, specifically related to the protests, although without specific “messaging” against the government attached to them. This one comes from Tehran, above one of the country’s main highways, showing how traffic has backed up due to streets getting closed down:

And here is another with video from the ground, showing people and police swarming.

And of course the government is still Tweeting, too:

The protests arose in response to a decision by the state to raise the price of gas in the country by 50%.

As this AP article points out, Iran has some of the cheapest gas in the world — in part because it has one of the world’s biggest crude oil reserves — and so residents in the country see cheap gas as a “birthright.”

Many use their cars not just to get around themselves but to provide informal taxi services to others, so — regardless your opinion on whether using fossil fuels is something to be defended or not — hiking up the prices cuts right to ordinary people’s daily lives, and has served as the spark for protest in the country over bigger frustrations with the government and economy, as Iran continues to struggle under the weight of US sanctions.

Clamping down on internet access as a way of trying to contain not just protesters’ communication with each other, but also the outside world, is not an unprecedented move; it is part and parcel of how un-democratic regimes control their people and situations. Alarmingly, its use seems to be growing.

Pakistan in September cut off internet access in specific regions response to protests over conflicts with India. And Russia — which has now approved a bill to be able to shut down internet access should it decide to — is now going to start running a series of drills to ensure its blocks work when they are being used in live responses.

We’ll update this post as we learn more.


Army photogrammetry technique makes 3D aerial maps in minutes

16 novembre, par Devin Coldewey[ —]

Aerial imagery is a common asset in military matters, but 3D maps can be difficult to collect on short notice without specialized equipment. This new photogrammetry technique from the Army Corps of Engineers, however, can make accurate 3D maps from ordinary aerial footage in just minutes.

Photogrammetry is the process of comparing multiple photos of the same location or item to produce a 3D map of it. It’s a well-known method but in some cases is still reliable on human intelligence to determine, for instance, which frames of a video should be used to produce the best results.

Ricky Massaro from the Army’s Geospatial Research Laboratory in Virginia has mitigated that problem and produced a highly efficient photogrammetric method that can turn aerial imagery into accurate 3D surface maps in near real-time without any human oversight.

This image shows the depth map as color – red being higher. It was created from combining multiple 2D images.

The system was tested by the 101st Airborne, which flew a drone over Fort Campbell in Kentucky and mapped a mock city used for training exercises. It was also deployed in Iraq for non-combat purposes. So this isn’t stuck in a lab somewhere — it’s been put to work, and is now being publicized because the patent filing is in and the Army is now negotiating to commercialize the system.

“Whether it’s for soldiers or farmers, this tech delivers usable terrain and intelligence products fast,” said Quinton King, a manager at TechLink, the Defense Department’s commercial tech transfer organization. “And I’m happy to help companies learn how they can leverage Dr. Massaro’s work for their own products or applications.”

The real-time photogrammetry wouldn’t replace lidar or ground-based mapping systems, but act in concert with them. Being able to produce accurate depth from ordinary aerial imagery, and without having to send tons of data to a central location or involve human experts, makes it adaptable to a variety of situations. If you’re curious about the specifics, you can check out the patent application here.


‘Magic: The Gathering’ game maker exposed 452,000 players’ account data

16 novembre, par Zack Whittaker[ —]

The maker of Magic: The Gathering has confirmed that a security lapse exposed the data on hundreds of thousands of game players.

The game’s developer, the Washington-based Wizards of the Coast, left a database backup file in a public Amazon Web Services storage bucket. But there was no password on the storage bucket, allowing anyone to access the files inside.

The bucket is not believed to have been exposed for long — since around early-September — but it was long enough for U.K. cybersecurity firm Fidus Information Security to find the database.

A review of the database file showed there were 452,634 players’ information, including about 470 email addresses associated with Wizards’ staff. The database included player names and usernames, email addresses, and the date and time of the account’s creation. The database also had user passwords, which were hashed and salted, making it difficult but not impossible to unscramble.

None of the data was encrypted. The accounts date back to at least 2012, according to our review of the data, but some of the more recent entries date back to mid-2018.

A formatted version of the database backup file, redacted, containing 452,000 user records. (Image: TechCrunch)

Fidus reached out to Wizards of the Coast but did not hear back. It was only after TechCrunch reached out that the game maker pulled the storage bucket offline.

Bruce Dugan, a spokesperson for the game developer, told TechCrunch in a statement: “We learned that a database file from a decommissioned website had inadvertently been made accessible outside the company.”

“We removed the database file from our server and commenced an investigation to determine the scope of the incident,” he said. “We believe that this was an isolated incident and we have no reason to believe that any malicious use has been made of the data,” but the spokesperson did not provide any evidence for this claim.

“However, in an abundance of caution, we are notifying players whose information was contained in the database and requiring them to reset their passwords on our current system,” he said.

Harriet Lester, Fidus’ director of research and development, said it was “surprising in this day and age that misconfigurations and lack of basic security hygiene still exist on this scale, especially when referring to such large companies with a userbase of over 450,000 accounts.”

“Our research team work continuously, looking for misconfigurations such as this to alert companies as soon as possible to avoid the data falling into the wrong hands. It’s our small way of helping make the internet a safer place,” she told TechCrunch.

The game maker said it informed the U.K. data protection authorities about the exposure, in line with breach notification rules under Europe’s GDPR regulations. The U.K.’s Information Commissioner’s Office did not immediately return an email to confirm the disclosure.

Companies can be fined up to 4% of their annual turnover for GDPR violations.


This Week in Apps: Apple’s vaping app ban, Disney+ gets installed, apps gear up for Black Friday

16 novembre, par Sarah Perez[ —]

Welcome back to This Week in Apps, the Extra Crunch series that recaps the latest OS news, the applications they support, and the money that flows through it all. What are developers talking about? What do app publishers and marketers need to know? How are politics impacting the App Store and app businesses? And which apps are everyone using?

As mid-November rolls around, we’re looking at a few big stories, including Apple’s decision to ban an entire category of apps due to health concerns, the launch of Disney+ from an app perspective, what Black Friday will mean for e-commerce apps, and more.

Fast Facts

With Disney+’s huge launch (10+ million users!) on everyone’s minds, it’s time to think about what these streaming newcomers mean for the overall landscape and the app stores. In this case, it seems that Disney+’s user base was highly mobile. The company itself announced more than 10 million users, while data on the Disney+ app’s first few days indicates it now has over 10 million downloads. It seems like consumers definitely want to take their new streaming service with them everywhere they go.

  • In 2020, App Annie forecasts consumers will spend more than 674 billion hours in the Entertainment and Video Player and Editor categories worldwide on Android phones, up from an expected 558 billion hours in 2019. Thanks to Disney+, Apple TV+ and soon, HBO Max, Peacock and Quibi, to making the landscape both richer and more complicated.
  • On its launch day, Disney+ hit #1 by iPhone Overall downloads at 8 AM in the U.S. and at 11 AM in Canada — an indication of the ability that strong IP has can really excite consumers to come out in droves. (Unfortunately, that led to some launch day glitches, too.)
  • Apptopia estimated Disney+ was downloaded 3.2 million times in its first 24 hours. The firm also estimated users collectively spent 1.3 million hours watching Disney+ on day one — ahead of Amazon Prime Video, but well behind Netflix.

  • Sensor Tower waited to collect a little more data instead. It found that the Disney+ app was installed approximately 9.6 million times in all available markets (the U.S., Canada, and the Netherlands), since its U.S. launch on Tuesday, Nov. 12. For comparison’s sake, HBO Now’s U.S. launch only saw 180,000 installs in its first three days — or 2% of the Disney+ total. Combined with the test period installs in the Netherlands, the app has now been installed over 10 million times.
  • The hype around Disney+ has had a halo effect. Hulu and ESPN, which were offered in a bundle with Disney+, also grew as a result of the Disney+ launch. Sensor Tower found combined users of the apps in the U.S. and Canada were up 30% in the past week over the week prior.

Headlines

Apple removed all vaping apps from the App Store, citing CDC health concerns

The CDC says 42 people have died due to vaping product use and thousands more cases of lung injuries have been reported from 49 states. Now, Apple has made the controversial decision to remove all 181 vaping-related apps from its App Store — including those with news and information about vaping and even vaping-related games, Axios reported this week.

Some say Apple is helping to protect kids and teens by limiting their exposure to e-cigarette and vaping products, which are being used to addict a younger generation to nicotine and cause serious disease. Others argue that Apple is over-reaching. After all, many of the lung illnesses involve people who were vaping illegally obtained THC, studies indicated.

This isn’t the first time Apple has banned a category of apps because of what appear to be moral concerns. The company in the past had booted apps that promoted weed or depicted gun violence, for example. In the case of vaping apps, Apple cited the public health crisis and youth epidemic as contributing factors, telling Axios that:

We take great care to curate the App Store as a trusted place for customers, particularly youth, to download apps. We’re constantly evaluating apps, and consulting the latest evidence, to determine risks to users’ health and well-being. Recently, experts ranging from the CDC to the American Heart Association have attributed a variety of lung injuries and fatalities to e-cigarette and vaping products, going so far as to call the spread of these devices a public health crisis and a youth epidemic. We agree, and we’ve updated our App Store Review Guidelines to reflect that apps encouraging or facilitating the use of these products are not permitted. As of today, these apps are no longer available to download.

Existing users will still be able to use their apps, but new users will not be able to download the banned apps going forward.

Minecraft Earth arrives 

Minecraft Earth launched early last week across 9 countries on both Android and iOS and now it’s come to the U.S., Canada, the U.K., and several other markets. Some expect the app will rival the success of the AR breakout hit, Pokémon Go, which was thought at the time to be the precursor to a new wave of massive AR gaming titles. But in reality, that didn’t happen. The highly anticipated follow-up from Niantic, Harry Potter: Wizards Unite didn’t come close to competing with its predecessor, generating $12 million in its first month, compared with Pokémon Go’s first-month earnings of $300 million. With Minecraft Earth now sitting at No. 2 (c’mon, you can’t unseat Disney+) on the U.S. App Store, it seems there’s potential for another AR kingpin.

App Annie releases a user acquisition playbook

A top name in App Store intelligence, App Annie this week released a new how-to handbook focused on user acquisition strategies on mobile. Sure the free download is just a bit of lead gen for App Annie, but the guide promises to fill you in on all you need to know to be successful in acquiring mobile users. The playbook’s arrival follows App Annie’s acquisition of adtech insights firm Libring this fall, as it expands to cover more aspects of running an app business. Just as important as rankings and downloads are the very real costs associated with running an app business — including the cost of acquiring users.


The House and Senate finally agree on something: Robocalls

16 novembre, par Devin Coldewey[ —]

In these times of political strife, it’s nice that despite our differences we can still band together as a nation in the face of a catastrophe that affects us all equally. I speak, of course, of robocalls, and it seems that the House and Senate have put their differences aside for the present in order to collaborate on a law combating this scourge.

Despite a great deal of FCC bluster, a few high-profile fines and some talk from telecoms about their plans to implement new anti-robocall standards, half the country’s phones are still blowing up regularly with recordings and scammers on the other side.

If regulators find it difficult to act, ultimately what’s needed is legislation, and lawmakers — who no doubt are receiving the calls themselves, which might have given the task a special urgency.

As often happens in Congress, two competing versions of the bill emerged to address this issue, and both passed in their respective chambers earlier this year. Now the leaders of the committees involved have announced an “agreement in principle” that will hopefully allow them to pass a unified version of the bill.

The “Pallone-Thune TRACED Act” owes its name to its primary sponsors — Rep. Pallone (D-NJ) and Sen. John Thune (R-SD) — and the earlier and superior acronym from the House act, Telephone Robocall Abuse Criminal Enforcement and Deterrence.

“Our agreement will require telephone carriers to verify calls and allow robocalls to be blocked in a consistent and transparent way, all at no extra charge to consumers. The agreement also gives the FCC and law enforcement the ability to quickly go after scammers,” said Rep. Pallone in a statement accompanying the news.

The bill text is expected to be finalized in a matter of days, and it will hopefully make it onto the legislative calendar in a hurry.

Meanwhile, the FCC has been waiting patiently for telecoms to implement SHAKEN/STIR, an anti-spoofing measure they can implement on their networks, repeatedly warning that it will eventually take action if they don’t. A resolution in June made clear that robocalls from outside the country are legal to block, but didn’t say anything about potential fees. Fortunately the act mentioned above does make sure consumers don’t get dinged for the service.


Those crappy pre-installed Android apps can be full of security holes

16 novembre, par Greg Kumparak[ —]

If you’ve ever bought an Android phone, there’s a good chance you booted it up to find it pre-loaded with junk you definitely didn’t ask for.

These pre-installed apps can be clunky, annoying to remove, rarely updated… and, it turns out, full of security holes.

Security firm Kryptowire built a tool to automatically scan a large number of Android devices for signs of security shortcomings and, in a study funded by the U.S. Department of Homeland Security, ran it on phones from 29 different vendors. Now, the majority of these vendors are ones most people have never heard of — but a few big names like Asus, Samsung and Sony make appearances.

Kryptowire says they found vulnerabilities of all different varieties, from apps that can be forced to install other apps, to tools that can be tricked into recording audio, to those that can silently mess with your system settings. Some of the vulnerabilities can only be triggered by other apps that come pre-installed (thus limiting the attack vector to those along the supply chain); others, meanwhile, can seemingly be triggered by any app the user might install down the road.

Kryptowire has a full list of observed vulnerabilities here, broken down by type and manufacturer. The firm says it found 146 vulnerabilities in all.

As Wired points out, Google is well aware of this potential attack route. In 2018 it launched a program called the Build Test Suite (or BTS) that all partner OEMs must pass. BTS scans a device’s firmware for any known security issues hiding amongst its pre-installed apps, flagging these bad apps as Potentially Harmful Applications (or PHAs). As Google puts it in its 2018 Android security report:

OEMs submit their new or updated build images to BTS. BTS then runs a series of tests that look for security issues on the system image. One of these security tests scans for pre-installed PHAs included in the system image. If we find a PHA on the build, we work with the OEM partner to remediate and remove the PHA from the build before it can be offered to users.

During its first calendar year, BTS prevented 242 builds with PHAs from entering the ecosystem.

Anytime BTS detects an issue we work with our OEM partners to remediate and understand how the application was included in the build. This teamwork has allowed us to identify and mitigate systemic threats to the ecosystem.

Alas, one automated system can’t catch everything — and when an issue does sneak by, there’s no certainty that a patch or fix will ever arrive (especially on lower-end devices, where long-term support tends to be limited).

We reached out to Google for comment on the report, but have yet to hear back.

Update — Google’s response:

We appreciate the work of the research community who collaborate with us to responsibly fix and disclose issues such as these.


Facebook’s Libra code chugs along ignoring regulatory deadlock

15 novembre, par Josh Constine[ —]

“5 months and growing strong” the Libra Association announced today in a post about its technical infrastructure that completely omits the fierce regulatory backlash to its cryptocurrency.

Forty wallets, tools and block explorers plus 1,700 GitHub commits have how now been built on its blockchain testnet that’s seen 51,000 mock transactions in the past two months. Libra nodes that process transactions are now being run by Coinbase, Uber, BisonTrails, Iliad, Xapo, Anchorage and Facebook’s Calibra. Six more nodes are being established, plus there are 8 more getting set up from members who lack technical teams, meaning all 21 members have nodes running or in the works.

But the update on the Libra backend doesn’t explain how the association plans to get all the way to its goal of 100 members and nodes by next year when it originally projected a launch. And it gives no nod to the fact that even if Libra is technically ready to deploy its mainnet in 2020, government regulators in the U.S. and around the world still won’t necessarily let it launch.

Facebook itself seems to be hedging its bets on fintech in the face of pushback against Libra. This week it began the launch of Facebook Pay, which will let users pay friends, merchants and charities with a single payment method across Facebook, Messenger, WhatsApp and Instagram.

Facebook Pay could help the company drive more purchases on its platform, get more insights into transactions and lead merchants to spend more on ads to lure in sales facilitated by quicker payments. That’s most of what Facebook was trying to get out of Libra in the first place, beyond better financial inclusion.

Last month’s congressional testimony from Facebook CEO Mark Zuckerberg was less contentious than Libra board member David Marcus’ appearances on Capitol Hill in July. Yet few of lawmakers’ core concerns about how Libra could facilitate money laundering, endanger users’ assets and give Facebook even more power amidst ongoing anti-trust investigations were assuaged.

This set of announcements from the Libra Core summit of technical members was an opportunity for the project to show how it was focused on addressing fraud, security and decentralization of power. Instead, the Libra Association took the easy route of focusing on what the Facebook-led development team knows best: writing code, not fixing policy. TechCrunch provided questions to the Libra Association and some members, but the promised answers were not returned before press time.

[Update: In response to our article and criticisms about the lack of acknowledgement of regulatory issues, a Libra spokesperson provided the following statement.]

Today’s Libra Core Summit was the first step towards a collaborative development plan for Libra Core and Move. The summit was designed to educate and support members in areas include running a Libra node, building a Libra wallet, scaling the Libra network and interoperability between Libra wallet. There are many facets of the Libra project that are working in tandem. The Libra Association executive leadership team is continuing the critical work to listen to, engage and collaborate with regulators around the world.

For those organizations without a technical team to implement a node, the Libra Association is working on a strategy to support deployment in 2020, when the Libra Core feature set is complete” the Association’s Michael Engle writes. “The Libra Association intends to deploy 100 nodes on the mainnet, representing a mix of on-premises and cloud-hosted infrastructure.” It feels a bit like Libra is plugging its ears.

Having proper documentation, setting up CLAs to ease GitHub contributions, standardizing the Move code language, a Bug Bounty program and a public technical roadmap are a good start. But until the Association can answers Congress’ questions directly, they’re likely to refuse Libra approval, which Zuckerberg said the project won’t launch without.


0 | 10










mirPod.com is the best way to tune in to the Web.

Chercher, découvrir, news, podcast francais, radios, webtv, videos. Vous trouverez du contenu du Monde entier et de la France. Vous pourrez créer votre propre contenu et le partager avec vos amis.


ACCEUIL add podcastAjouter votre Podcast FORUM By Jordi Mir & mirPod since April 2005....
A PROPOS Supporter lequipe mirPod Terms of Use BLOG OnlyFamousPeople MIRTWITTER