Month: October 2018

Apple has strongly criticized Australia’s anti-encryption bill, calling it “dangerously ambiguous” and “alarming to every Australian.”

The Australian government’s draft law — known as the Access and Assistance Bill — would compel tech companies operating in the country, like Apple, to provide “assistance” to law enforcement and intelligence agencies in accessing electronic data. The government claims that encrypted communications are “increasingly being used by terrorist groups and organized criminals to avoid detection and disruption,” without citing evidence.

But critics say that the bill’s “broad authorities that would undermine cybersecurity and human rights, including the right to privacy” by forcing companies to build backdoors and hand over user data — even when it’s encrypted.

Now, Apple is the latest company after Google and Facebook joined civil and digital rights groups — including Amnesty International — to oppose the bill, amid fears that the government will rush through the bill before the end of the year.

In a seven-page letter to the Australian parliament, Apple said that it “would be wrong to weaken security for millions of law-abiding customers in order to investigate the very few who pose a threat.”

“We appreciate the government’s outreach to Apple and other companies during the drafting of this bill,” the letter read. “While we are pleased that some of the suggestions incorporated improve the legislation, the unfortunate fact is that the draft legislation remains dangerously ambiguous with respect to encryption and security.”

“This is no time to weaken encryption,” it read. “Rather than serving the interests of Australian law enforcement, it will just weaken the security and privacy of regular customers while pushing criminals further off the grid.”

Apple laid out six focus points — which you can read in full here — each arguing that the bill would violate international agreements, weaken cybersecurity and harm user trust by compelling tech companies to build weaknesses or backdoors in its products. Security experts have for years said that there’s no way to build a “secure backdoor” that gives law enforcement authorities access to data but can’t be exploited by hackers.

Although Australian lawmakers have claimed that the bill’s intentions are not to weaken encryption or compel backdoors, Apple’s letter said the “the breadth and vagueness of the bill’s authorities, coupled with ill-defined restrictions” leaves the bill’s meaning open to interpretation.

“For instance, the bill could allow the government to order the makers of smart home speakers to install persistent eavesdropping capabilities into a person’s home, require a provider to monitor the health data of its customers for indications of drug use, or require the development of a tool that can unlock a particular user’s device regardless of whether such tool could be used to unlock every other user’s device as well,” the letter said.

Apple’s comments are some of the strongest pro-encryption statements it’s given to date.

Two years ago, the FBI sued Apple to force the technology giant to build a tool to bypass the encryption in an iPhone used by one fo the the San Bernardino shooters, who killed 14 people in a terrorist attack in December 2015. Apple challenged the FBI’s demand — and chief executive Tim Cook penned an open letter called the move a “dangerous precedent.” The FBI later dropped its case after it paid hackers to access the device’s contents.

Australia’s anti-encryption bill is the latest in a string of legislative efforts by governments to seek greater surveillance powers.

The U.K. passed its Investigatory Powers Act in 2016, and earlier this year the U.S. reauthorized its foreign surveillance laws with few changes, despite efforts to close warrantless domestic spying loopholes discovered in the wake of the Edward Snowden disclosures.

The Five Eyes group of governments — made up of the U.K., U.S., Canada, Australia and New Zealand — further doubled down on its anti-encryption aggression in recent remarks, demanding that tech companies provide access or face legislation that would compel their assistance.

In April, TechCrunch broke the news that some of Mark Zuckerberg’s Facebook messages were deleted from recipients’ inboxes in what some saw as a violation of user trust. Then, Facebook suddenly announced that it would actually build this Unsend functionality for everyone. Then six months went by without a peep about the feature, furthering suspicions that the announcement that it would release an Unsend button was merely a PR driven response to the scandal.

Late last week, TechCrunch asked Facebook about its progress on Unsend, and the company told us “Though we have nothing to announce today, we have previously confirmed that we intend to ship a feature like this and are still planning to do so.”

Now we have our first look at the feature thanks to TechCrunch’s favorite tipster Jane Manchun Wong. She’s managed to generate screenshots of a prototype Unsend button from Facebook Messenger’s Android code. Currently, you can only delete messages from your own inbox — they still remain in the recipients’ inbox. But with this Unsend feature, you’ll be able to remove a message from both sides of a conversation. However, the code indicates that in the current prototype, users may only have a certain amount of time after they send a message to unsend it.

In response, a spokesperson confirmed that “Facebook internally tests products and features before they ship to the public so we can ensure the quality of the experience.”

The Unsend feature could be useful to people who say something stupid or inappropriate, disclose a secret they shouldn’t have, or want to erase evidence of their misdeeds. That could make users more comfortable speaking freely on the app, since they know they can retract their texts. But it could also open vectors for abuse, as users could harass people over Messenger and then delete the evidence. Facebook will need to ensure that Unsend doesn’t acceidentally become a weapon for bullies.

Tesla CEO Elon Musk confirmed Friday in a tweet that the Tesla-branded tequila called “Teslaquilla”—the bottle of liquor that co-starred in his April Fool’s Day joke about the automaker filing for bankruptcy — is “coming soon.”

Musk’s tweet was a response to a CNBC article that reported Tesla had filed an application with the U.S. Patent and Trademark Office to trademark “Teslaquila.”

Musk later tweeted a photo of a Teslaquila label.

The Teslaquila story began on April Fool’s Day after Musk posted a photo of himself passed out against a Tesla Model 3 “surrounded by “Teslaquilla” bottles, the tracks of dried tears still visible on his cheeks.” In the photo, Musk is holding a cardboard sign that reads “bankwupt.”

It’s important to note that the filing Monday is an “intent to use” trademark, which, just like it sounds, means Tesla has a “bona fide intention, and is entitled, to use the mark in commerce on or in connection with the identified goods/services.”

Facebook has announced a relatively small but significant purge of bad actors from the platform: 810 pages and accounts that have “consistently broken our rules against spam and coordinated inauthentic behavior.” It may not seem like a lot, but it sounds like the company is erring on the side of disclosure even if the news isn’t particularly hard-hitting.

These were not, as far as Facebook could tell, part of an organized nation-state effort or political interference campaign, like the Iranian and Russian groups previously highlighted in these ban alert posts. These are pages that use networks of fake accounts and pages to drive traffic to clickbait articles strictly for the purpose of ad revenue.

810 can’t be much more than a drop out of the bucket of fake accounts on Facebook — of which there are millions — but the company’s focus right now isn’t individual bad actors but coordinated ones.

A few hundred accounts working together to do a bit of ad fraud produces a sort of digital footprint that might look similar to a a few hundred accounts working together to push a political narrative or sow discontent.  And one can turn into the other quite easily.

There are patterns of logins, likes, visits, account creation, and so on that Facebook has been working hard to identify — recently, at least. Although they’ve designed their net to catch the nation-state actors and large-scale operations that have previously been uncovered, small fry like these spammers are getting tangled up as well. Not a bad thing.

“Given the activity we’ve seen — and its timing ahead of the US midterm elections — we wanted to give some details about the types of behavior that led to this action,” the company wrote on its blog.

No doubt they also want to give the impression that there is indeed a cop on the beat. Expect more announcements like this through the midterms as Facebook strives to make it clear that it is working round the clock to keep you, its valuable product users, safe.

Are you one of the 30 million users hit by Facebook’s access token breach announced two weeks ago? Here’s how to find out.

1. Visit this Facebook Help center link while logged in: https://www.facebook.com/help/securitynotice?ref=sec.
2. Scroll down to the the section “Is my Facebook account impacted by this security issue?”
3. Here you’ll see a Yes or No answer to whether your account was one of the 30 million users impacted
4. If Yes, you’ll be in one of three categories:
   A. You’re in the 15 million users’ whose name plus email and/or phone number was accessed.
   B. You’re in the 14 million users’ who had that data plus account bio data accessed including “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches”.
   C. You’re in the 1 million users whose access token was stolen but your account was never actually accessed with it.

So what should you do if you were hacked?

1. You don’t necessarily have to change your Facebook password or credit card info as there’s no evidence that data was accessed in the attack
2. Watch out for spam or scam calls, emails, or messages as your contact info could have been sold to unscrupulous businesses
3. Be on alert for phishing attempts that may try to email you and get you to sign in to one of your online accounts on a fake page that will steal your data. If you get a suspicious email that looks like it’s from Facebook, you can check here to see if it’s legitimate
4. If you’re in group B who had their bio info accessed, you may want to contact your bank or cell phone provider and add additional security layers such as a pincode since hackers may have enough biographical info to perform social engineering attacks where they pretend to be you and use stolen data to answer security questions and gain access.

Facebook has now detailed what data was scraped and stolen in the breach it revealed two weeks ago. 30 million users, not 50 million as it initially estimated, had their access tokens stolen by hackers. Users can check Facebook’s Help Center to find out if their information was accessed, and Facebook will send customized alerts to those impacted detailing what was accessed from their account and what they can do to recover. It’s currently not clear if all the information accessed was necessarily scraped.

Facebook’s VP of product managment Guy Rosen told reporters on a press call that “We are cooperating with the FBI on this matter” and that “the FBI have asked us not to discuss who may be behind this attack” as its own investigation is ongoing. Disclosing anything about perpetrator now could cause them to cover tracks.

15 million of the 30 million users had their name plus phone number and/or email accessed. 14 million had that info plus potentially more biographical info accessed, including “username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches”. The remaining 1 million users’ information wasn’t accessed.

Facebook’s other apps including Messenger, Messenger Kids, Instagram, WhatsApp, Workplace, and Pages, as well as its features for payments, third-party apps, advertisers, and developers were not accessed. Facebook says that law enforcement has asked it not to discuss evidence regarding who committed the attack as the FBI continues its investigation.

Facebook says the breach started when hackers with some access tokens exploited a combination of three bugs related to its “View As” privacy feature for seeing your profile from the perspective of someone else. This let them gain access to those accounts’ friends leading them to steal access tokens 400,000 accounts, and used a different method to then grab tokens from 30 million of their friends.

Unlike most breaches, this one appears to have turned out to be less severe then initially expected. Users seem to already be forgetting about the breach after a short hiccup where they had to log back in to Facebook. It’s possible that that could impact Facebook’s user counts slightly in its Q3 earnings report. But unless a truly nefarious use case for the accessed data is revealed, the breach could fade into the noise of non-stop cybersecurity failures across the web, including Google+’s breach that was covered up and has now prompted the Facebook competitor’s shut down.

Researchers at Indiana University have confirmed that stringent password policies – aside from being really annoying – actually work. The research, led by Ph.D. student Jacob Abbott, IU CIO Daniel Calarco, and professor L. Jean Camp. They published their findings in a paper entitled “Factors Influencing Password Reuse: A Case Study.”

“Our paper shows that passphrase requirements such as a 15-character minimum length deter the vast majority of IU users (99.98 percent) from reusing passwords or passphrases on other sites,” said Abbott. “Other universities with fewer password requirements had reuse rates potentially as high as 40 percent.”

To investigate the impact of policy on password reuse, the study analyzed password policies from 22 different U.S. universities, including their home institution, IU. Next, they extracted sets of emails and passwords from two large data sets that were published online and contained over 1.3 billion email addresses and password combinations. Based on email addresses belonging to a university’s domain, passwords were compiled and compared against a university’s official password policy.

The findings were clear: Stringent password rules significantly lower a university’s risk of personal data breaches.

In short, requiring longer passwords and creating a truly stringent password policy reduced fraud and password reuse by almost 99%. Further, the researchers found that preventing users from adding their name or username inside passwords it’s also pretty helpful. Ultimately, having a stringent password policy is far better than have none at all. It’s a no-brainer but it could be an important data point for your next tech project.

AI-powered photo management app Zyl is going back to the drawing board with a streamlined, more efficient redesign. The app is now focused on one thing only — resurfacing your old memories.

Taking photos on a smartphone is now a daily habit. But what about looking back at photos you took one year, three years or even eight years ago? It can pile up quite quickly. Zyl thinks there’s emotional value in those long-forgotten photos.

Before this update, Zyl helped you delete duplicates, create smart photo albums based on multiple criteria and collaborate on photo albums. In other words, it was a utility app.

But when the company started talking with some of their users, they realized that one feature stood out and had more value than the rest.

Applying those AI-powered models to your photo library is a great way to find interesting photos. But nobody was really looking at them.

When you open the app, you get a view of your camera roll with your last photos at the bottom. There’s also a big green button at the bottom. When you tap on it, Zyl creates a satisfying animation and unveils an important photo.

If you took multiple photos to capture this moment, the app stitches together those photos and create a GIF. You can then share this Zyl with a friend or family member.

But the true magic happens if you try to get another Zyl. You have to wait 24 hours to unlock another photo. The next day, the app sends you a notification when your photo is ready. You can always open the app again and look at your past Zyls in a new tab with your most important photos.

Unlike Timehop or Facebook’s “On This Day” feature, Zyl doesn’t look at your social media posts and focuses on your camera roll. Zyl isn’t limited to anniversaries either.

Just like before, Zyl respects your privacy and leaves your photos alone. They’re never sent to the company’s server — Zyl uses the same photo database as the native one on your iPhone or Android phone so it doesn’t eat up more storage.

Over time, the app could give you more options by leveraging facial recognition and the intrinsic social graph of your photo library. Maybe you want to see more photos of your brother as his wedding is coming up.

And that notification can be a powerful nudge. I keep opening the app and sharing old photos. Zyl is a good example of the combination of something that you care about combined with an element of surprise.

AI-powered photo management app Zyl is going back to the drawing board with a streamlined, more efficient redesign. The app is now focused on one thing only — resurfacing your old memories.

Taking photos on a smartphone is now a daily habit. But what about looking back at photos you took one year, three years or even eight years ago? It can pile up quite quickly. Zyl thinks there’s emotional value in those long-forgotten photos.

Before this update, Zyl helped you delete duplicates, create smart photo albums based on multiple criteria and collaborate on photo albums. In other words, it was a utility app.

But when the company started talking with some of their users, they realized that one feature stood out and had more value than the rest.

Applying those AI-powered models to your photo library is a great way to find interesting photos. But nobody was really looking at them.

When you open the app, you get a view of your camera roll with your last photos at the bottom. There’s also a big green button at the bottom. When you tap on it, Zyl creates a satisfying animation and unveils an important photo.

If you took multiple photos to capture this moment, the app stitches together those photos and create a GIF. You can then share this Zyl with a friend or family member.

But the true magic happens if you try to get another Zyl. You have to wait 24 hours to unlock another photo. The next day, the app sends you a notification when your photo is ready. You can always open the app again and look at your past Zyls in a new tab with your most important photos.

Unlike Timehop or Facebook’s “On This Day” feature, Zyl doesn’t look at your social media posts and focuses on your camera roll. Zyl isn’t limited to anniversaries either.

Just like before, Zyl respects your privacy and leaves your photos alone. They’re never sent to the company’s server — Zyl uses the same photo database as the native one on your iPhone or Android phone so it doesn’t eat up more storage.

Over time, the app could give you more options by leveraging facial recognition and the intrinsic social graph of your photo library. Maybe you want to see more photos of your brother as his wedding is coming up.

And that notification can be a powerful nudge. I keep opening the app and sharing old photos. Zyl is a good example of the combination of something that you care about combined with an element of surprise.

This summer, Facebook launched Fb.gg, its online gaming hub and Twitch competitor, designed to attract game streamers and their fans to watch videos on Facebook instead of on rival sites. The destination shows videos based on which games and streaming celebrities users follow, plus Liked Pages and Groups, and other featured suggestions of what to watch. Now, Fb.gg is expanding to mobile with its launch on Android.

The new app, first spotted by Sensor Tower, arrived just a few days ago and is currently in beta testing.

According to its description on Google Play, the app allows gamers and fans to discover a “universe of gaming content,” connect with creators and join communities, and play instant games like Everwing, Words with Friends, Basketball FRVR, and others.

From the screenshots, you can see how the Fb.gg app lets users tap navigation buttons at the top to find streamers to watch, or to view those streamers they’re already following, among other things. They can also participate in live conversations during gameplay with other viewers. Here, they can react to the stream using Facebook’s standard emoticon set of likes, hearts, haha’s and others.

Another section lets gamers jump into simple and popular mobile games. These titles are among those who were early participants in Facebook’s other gaming efforts in the past, like Instant Games on Facebook and Messenger.

Facebook has been trying to woo the gaming community for some time, to better compete against Amazon’s Twitch and Google’s YouTube. There’s a large and growing market for game streaming and viewing, with young viewers tuning in an average of 3+ hours a week to watch, as TechCrunch previously noted.

Facebook’s efforts to directly challenge Twitch and others kicked off in earnest this year, with the launch of its own version of Twitch’s Partner Program. Facebook’s  gaming creator pilot program, as it’s called, allows viewers to tip their favorite gamers. And with the arrival of Fb.gg in June, the virtual currency involved in those tips was being referred to as Facebook Stars, with each star equating to $0.01.

Facebook said it takes a cut of fans’ purchases of stars, ranging from 5%-30%, depending on what size pack is bought.

Facebook also recently began testing a monthly subscription option with game streamers, similar to what’s offered by YouTube and Twitch.

Of course, to truly compete with Twitch and YouTube, Facebook needs to go mobile as well – especially since the upcoming Messenger redesign will hide away extraneous features, like mobile gaming. That’s where Fb.gg’s app comes in.

The Android version of the Fb.gg beta app launched on October 9, and already has over 10,000 installs, according to Google Play.

We’ve reached out to Facebook for comment on the launch.