Year: 2018

What the heck is “Black Mirror: Bandersnatch”?

It’s probably not just a regular episode of the critically acclaimed science fiction anthology series. Netflix has been pretty cryptic about it, only announcing its existence last week, ahead of a December 28 release.

Given the reported 5 hour, 12 minute runtime, “Bandersnatch” may be the choose-your-own-adventure episode that we know was in the works — in that case, it wouldn’t actually take that hours and hours to watch, but instead would incorporate multiple paths totaling five hours of footage.

Today, Netflix released a trailer for what it’s describing as “a Black Mirror event.” The story takes place in 1984 and focuses on a programmer (Fionn Whitehead) adapting a fantasy novel into a computer game.

The trailer doesn’t quite come out and say that this will be an interactive episode, but the subject matter and the tagline (“change your mind — change your life — change your past — your present — your future”) seem to be awfully suggestive.

And we won’t have to wait much longer to find out: Netflix says “Black Mirror: Bandersnatch” goes live tomorrow.

Google has scrambled to remove third-party apps that led users to child porn sharing groups on WhatsApp in the wake of TechCrunch’s report about the problem last week. We contacted Google with the name of one these apps and evidence that it and others offered links to WhatsApp groups for sharing child exploitation imagery. Following publication of our article, Google removed that app and at least five like it from the Google Play store. Several of these apps had over 100,000 downloads, and they’re still functional on devices that already downloaded them.

WhatsApp failed to adequately police its platform, confirming to TechCrunch that it’s only moderated by its own 300 employees and not Facebook’s 20,000 dedicated security and moderation staffers. It’s clear that scalable and efficient artificial intelligence systems are not up to the task of protecting the 1.5 billion user WhatsApp community, and companies like Facebook must invest more in unscalable human investigators.

But now, new research provided exclusively to TechCrunch by anti-harassment algorithm startup AntiToxin shows that these removed apps that hosted links to child porn sharing rings on WhatsApp were supported with ads run by Google and Facebook’s ad networks. AntiToxin found 6 of these apps ran Google AdMob, 1 ran Google Firebase, 2 ran Facebook Audience Network, and 1 ran StartApp. These ad networks earned a cut of brands’ marketing spend while allowing the apps to monetize and sustain their operations by hosting ads for Amazon, Microsoft, Motorola, Sprint, Sprite, Western Union, Dyson, DJI, Gett, Yandex Music, Q Link Wireless, Tik Tok, and more.

The situation reveals that tech giants aren’t just failing to spot offensive content in their own apps, but also in third-party apps that host their ads and that earn them money. While these apps like “Group Links For Whats” by Lisa Studio let people discover benign links to WhatsApp groups for sharing legal content and discussing topics like business or sports, TechCrunch found they also hosted links with titles such as “child porn only no adv” and “child porn xvideos” that led to WhatsApp groups with names like “Children ” or “videos cp” — a known abbreviation for ‘child pornography’.

In a video provided by AntiToxin seen below, the app “Group Links For Whats by Lisa Studio” that ran Google AdMob is shown displaying an interstitial ad for Q Link Wireless before providing WhatsApp group search results for “child”. A group described as “Child nude FBI POLICE” is surfaced, and when the invite link is clicked, it opens within WhatsApp to a group called “Children ”.  (No illegal imagery is shown in this video or article. TechCrunch has omitted the end of the video that showed a URL for an illegal group and the phone numbers of its members.)

Another video shows the app “Group Link For whatsapp by Video Status Zone” that ran Google AdMob and Facebook Audience Network displaying a link to a WhatsApp group described as “only cp video”. When tapped, the app first surfaces an interstitial ad for Amazon Photos before revealing a button for opening the group within WhatsApp. These videos show how alarmingly easy it was for people to find illegal content sharing groups on WhatsApp, even without WhatsApp’s help.

Zero Tolerance Doesn’t Mean Zero Illegal Content

In response, a Google spokesperson tells me that these group discovery apps violated its content policies and it’s continuing to look for more like them to ban. When they’re identified and removed from Google Play, it also suspends their access to its ad networks. However, it refused to disclose how much money these apps earned and whether it would refund the advertisers. The company provided this statement:

“Google has a zero tolerance approach to child sexual abuse material and we’ve invested in technology, teams and partnerships with groups like the National Center for Missing and Exploited Children, to tackle this issue for more than two decades. If we identify an app promoting this kind of material that our systems haven’t already blocked, we report it to the relevant authorities and remove it from our platform. These policies apply to apps listed in the Play store as well as apps that use Google’s advertising services.”

App	Developer	Ad Network	Estimated Installs	Last Day Ranked
Unlimited Whats Groups Without Limit Group links	Jack Rehan	Google AdMob	200,000	12/18/2018
Unlimited Group Links for Whatsapp	NirmalaAppzTech	Google AdMob	127,000	12/18/2018
Group Invite For Whatsapp	Villainsbrain	Google Firebase	126,000	12/18/2018
Public Group for WhatsApp	Bit-Build	Google AdMob, Facebook Audience Network	86,000	12/18/2018
Group links for Whats – Find Friends for Whats	Lisa Studio	Google AdMob	54,000	12/19/2018
Unlimited Group Links for Whatsapp 2019	Natalie Pack	Google AdMob	3,000	12/20/2018
Group Link For whatsapp	Video Status Zone	Google AdMob, Facebook Audience Network	97,000	11/13/2018
Group Links For Whatsapp – Free Joining	Developers.pk	StartAppSDK	29,000	12/5/2018

Facebook meanwhile blamed Google Play, saying the apps’ eligibility for its Facebook Audience Network ads was tied to their availability on Google Play and that the apps were removed from FAN when booted from the Android app store. The company was more forthcoming, telling TechCrunch it will refund advertisers whose promotions appeared on these abhorrent apps. It’s also pulling Audience Network from all apps that let users discover WhatsApp Groups.

A Facebook spokesperson tells TechCrunch that “Audience Network monetization eligibility is closely tied to app store (in this case Google) review. We removed [Public Group for WhatsApp by Bit-Build] when Google did – it is not currently monetizing on Audience Network. Our policies are on our website and out of abundance of caution we’re ensuring Audience Network does not support any group invite link apps. This app earned very little revenue (less than $500), which we are refunding to all impacted advertisers.” WhatsApp has already banned all the illegal groups TechCrunch reported on last week.

Facebook also provided this statement about WhatsApp’s stance on illegal imagery sharing groups and third-party apps for finding them:

“WhatsApp does not provide a search function for people or groups – nor does WhatsApp encourage publication of invite links to private groups. WhatsApp regularly engages with Google and Apple to enforce their terms of service on apps that attempt to encourage abuse on WhatsApp. Following the reports earlier this week, WhatsApp asked Google to remove all known group link sharing apps. When apps are removed from Google Play store, they are also removed from Audience Network.”

Israeli NGOs Netivei Reshet and Screen Savers worked with AntiToxin to provide a report published by TechCrunch about the wide extent of child exploitation imagery they found on WhatsApp. Facebook and WhatsApp are still waiting on the groups to work with Israeli police to provide their full research so WhatsApp can delete illegal groups they discovered and terminate user accounts that joined them.

AntiToxin develops technologies for protecting online networks harassment, bullying, shaming, predatory behavior and sexually explicit activity. It was co-founded by Zohar Levkovitz who sold Amobee to SingTel for $400M, and Ron Porat who was the CEO of ad-blocker Shine. [Disclosure: The company also employs Roi Carthy, who contributed to TechCrunch from 2007 to 2012.] “Online toxicity is at unprecedented levels, at unprecedented scale, with unprecedented risks for children, which is why completely new thinking has to be applied to technology solutions that help parents keep their children safe” Levkovitz tells me. The company is pushing Apple to remove WhatsApp from the App Store until the problems are fixed, citing how Apple temporarily suspended Tumblr due to child pornography.

Ad Networks Must Be Monitored

Encryption has proven an impediment to WhatsApp preventing the spread of child exploitation imagery. WhatsApp can’t see what is shared inside of group chats. Instead it has to rely on the few pieces of public and unencrypted data such as group names and profile photos plus their members’ profile photos, looking for suspicious names or illegal images. The company matches those images to a PhotoDNA database of known child exploitation photos to administer bans, and has human moderators investigate if seemingly illegal images aren’t already on file. It then reports its findings to law enforcement and the National Center For Missing And Exploited Children. Strong encryption is important for protecting privacy and political dissent, but also thwarts some detection of illegal content and thereby necessitates more manual moderation.

With just 300 total employees and only a subset working on security or content moderation, WhatsApp seems understaffed to manage such a large user base. It’s tried to depend on AI to safeguard its community. However, that technology can’t yet perform the nuanced investigations necessary to combat exploitation. WhatsApp runs semi-independently of Facebook, but could hire more moderators to investigate group discovery apps that lead to child pornography if Facebook allocated more resources to its acquisition.

Google and Facebook, with their vast headcounts and profit margins, are neglecting to properly police who hosts their ad networks. The companies have sought to earn extra revenue by powering ads on other apps, yet failed to assume the necessary responsibility to ensure those apps aren’t facilitating crimes. Stricter examinations of in-app content should be administered before an app is accepted to app stores or ad networks, and periodically once they’re running. And when automated systems can’t be deployed, as can be the case with policing third-party apps, human staffers should be assigned despite the cost.

It’s becoming increasingly clear that social networks and ad networks that profit off of other people’s content can’t be low-maintenance cash cows. Companies should invest ample money and labor into safeguarding any property they run or monetize even if it makes the opportunities less lucrative. The strip-mining of the internet without regard for consequences must end.

A popular smart security system maker has ignored warnings from security researchers that its flagship device has several serious vulnerabilities, including allowing anyone access to the company’s central store of customer-uploaded video recordings.

The researchers at 0DayAllDay found that Guardzilla’s top-selling indoor wireless security system contains a set of hardcoded keys that can be easily extracted, because the device’s root password was protected using a decade-old algorithm that’s nowadays easily crackable. Each device uses the same set of keys to upload video recordings to the company’s Amazon Web Services’ storage servers. Anyone can use these keys to log in and gain full access to the company’s cloud storage — and customer data uploaded from the device.

But the storage servers remain vulnerable — even at the time of publication, TechCrunch can confirm — despite the researchers privately emailing the company detailing the vulnerabilities in September.

“We’ve tried several avenues to get in touch with Guardzilla, but they have not acknowledged the report,” said Tod Beardsley, Rapid7’s research director, who helped coordinate the release of the researchers’ findings.

The team of five researchers said in their report that it took two off-the-shelf consumer graphics cards just three hours to decrypt the eight-letter password protecting the affected Guardzilla device’s firmware that ships with each device. Because the keys were buried in the code, anyone with a Guardzilla device could obtain the keys and gain unfettered access to the company’s 13 storage buckets hosted on Amazon’s servers. The researchers tested the keys but did not use them to access the buckets, they said, to prevent unintentional access to Guardzilla customer data.

TechCrunch confirmed that the keys were still active and linked to the listed buckets as of Wednesday. (We could not verify the contents of the buckets as that would be unlawful.)

Hardcoding keys isn’t an uncommon practice in cheaply manufactured internet-connected devices, but is considered one of the worst security practices for a hardware maker to commit as it’s easy for a hacker to break into a central server storing user data. Hardcoding keys has become such an acute problem that a recently passed California law will soon ban consumer electronics using default and hardcoded credentials from 2020.

Fixing the vulnerability not only requires the keys to be changed on the server, but also a software patch to be rolled out on each affected device.

“They could update the keys and update the firmware, but that just means they’ll be rediscovered again by the same techniques,” said Beardsley. “The only way I can think of to fix this completely is to change the keys, stand up a proxying service and update the firmware to use this proxying service with unique-per-device accounts.”

“That’s a pretty significant change, but it’s just about only way to avoid this kind of problem,” he said.

Guardzilla were given three months to fix the security lapse and roll out new firmware to affected devices after the researchers privately reached out, but the company neither acknowledged or patched the issue, prompting the researchers to go public with their findings.

The researchers also also disclosed the vulnerabilities to Carnegie Mellon University’s public vulnerability database, CERT, which is set to issue an advisory Thursday, but received no response from the company.

TechCrunch sent several emails to Guardzilla prior to publication to no avail. After we contacted the company’s registered agent, a law firm in St. Louis, Missouri, chief executive Greg Siwak responded hours before publication, denying that the company received any correspondence. We asked several questions to clarify the company’s position, which we will include here if and when they come in. Siwak was adamant that the “accusations are false,” but did not say why.

When reached, former Guardzilla president Ted Siebenman told TechCrunch that he left the company in February but claimed he was “not aware” on the security issues in the device, including the use of hardcoded keys.

The security researchers found two more vulnerabilities — including several known bugs affecting the device’s continued use of a since-deprecated OpenSSL encryption library from more than two years ago. The researchers also disclosed in their write-up their discovery “large amounts” of traffic sent from an open port on the device to Guardzilla’s Amazon server, but could not explain why.

Guardzilla doesn’t say how many devices it’s sold or how many customers it has, but touts its hardware selling in several major U.S. retailers, including Amazon, Best Buy, Target, Walmart and Staples.

For now, you’re safest bet is to unplug your Guardzilla from the wall and stop using it.

A popular smart security system maker has ignored warnings from security researchers that its flagship device has several serious vulnerabilities, including allowing anyone access to the company’s central store of customer-uploaded video recordings.

The researchers at 0DayAllDay found that Guardzilla’s top-selling indoor wireless security system contains a set of hardcoded keys that can be easily extracted, because the device’s root password was protected using a decade-old algorithm that’s nowadays easily crackable. Each device uses the same set of keys to upload video recordings to the company’s Amazon Web Services’ storage servers. Anyone can use these keys to log in and gain full access to the company’s cloud storage — and customer data uploaded from the device.

But the storage servers remain vulnerable — even at the time of publication, TechCrunch can confirm — despite the researchers privately emailing the company detailing the vulnerabilities in September.

“We’ve tried several avenues to get in touch with Guardzilla, but they have not acknowledged the report,” said Tod Beardsley, Rapid7’s research director, who helped coordinate the release of the researchers’ findings.

The team of five researchers said in their report that it took two off-the-shelf consumer graphics cards just three hours to decrypt the eight-letter password protecting the affected Guardzilla device’s firmware that ships with each device. Because the keys were buried in the code, anyone with a Guardzilla device could obtain the keys and gain unfettered access to the company’s 13 storage buckets hosted on Amazon’s servers. The researchers tested the keys but did not use them to access the buckets, they said, to prevent unintentional access to Guardzilla customer data.

TechCrunch confirmed that the keys were still active and linked to the listed buckets as of Wednesday. (We could not verify the contents of the buckets as that would be unlawful.)

Hardcoding keys isn’t an uncommon practice in cheaply manufactured internet-connected devices, but is considered one of the worst security practices for a hardware maker to commit as it’s easy for a hacker to break into a central server storing user data. Hardcoding keys has become such an acute problem that a recently passed California law will soon ban consumer electronics using default and hardcoded credentials from 2020.

Fixing the vulnerability not only requires the keys to be changed on the server, but also a software patch to be rolled out on each affected device.

“They could update the keys and update the firmware, but that just means they’ll be rediscovered again by the same techniques,” said Beardsley. “The only way I can think of to fix this completely is to change the keys, stand up a proxying service and update the firmware to use this proxying service with unique-per-device accounts.”

“That’s a pretty significant change, but it’s just about only way to avoid this kind of problem,” he said.

Guardzilla were given three months to fix the security lapse and roll out new firmware to affected devices after the researchers privately reached out, but the company neither acknowledged or patched the issue, prompting the researchers to go public with their findings.

The researchers also also disclosed the vulnerabilities to Carnegie Mellon University’s public vulnerability database, CERT, which is set to issue an advisory Thursday, but received no response from the company.

TechCrunch sent several emails to Guardzilla prior to publication to no avail. After we contacted the company’s registered agent, a law firm in St. Louis, Missouri, chief executive Greg Siwak responded hours before publication, denying that the company received any correspondence. We asked several questions to clarify the company’s position, which we will include here if and when they come in. Siwak was adamant that the “accusations are false,” but did not say why.

When reached, former Guardzilla president Ted Siebenman told TechCrunch that he left the company in February but claimed he was “not aware” on the security issues in the device, including the use of hardcoded keys.

The security researchers found two more vulnerabilities — including several known bugs affecting the device’s continued use of a since-deprecated OpenSSL encryption library from more than two years ago. The researchers also disclosed in their write-up their discovery “large amounts” of traffic sent from an open port on the device to Guardzilla’s Amazon server, but could not explain why.

Guardzilla doesn’t say how many devices it’s sold or how many customers it has, but touts its hardware selling in several major U.S. retailers, including Amazon, Best Buy, Target, Walmart and Staples.

For now, you’re safest bet is to unplug your Guardzilla from the wall and stop using it.

The Indian government is playing the role of festive party pooper for Walmart and Amazon after it announced new regulations that look set to impede the U.S. duo’s efforts to grow their businesses in India.

Online commerce in the country is tipped to surpass $100 billion per year by 2022 up from $35 billion today as more Indians come online, according to a report co-authored by PwC. But 2019 could be a very different year after an update to the country’s policy for foreign direct investment (FDI) appeared to end the practice of discounts, exclusive sales and more.

The three main takeaways from the new policy, which will go live on February 1, are a ban on exclusive sales, the outlawing of retailers selling products on platforms they count as investors, and restrictions on discounts and cashback.

Those first two clauses are pretty clear and will have a significant impact on Amazon — which has pumped some $5 billion into India — and Walmart, which forked out $16 billion to buy India-based Flipkart.

Both online retailers have been able to make a splash by tying up with brands for exclusive online sales, particularly in the smartphone space where, for example, Amazon has worked with Xiaomi and Flipkart has collaborated with Oppo. The new guideline would appear to end that practice, while adding further restrictions to complicate relationships with vendors. From February, brands will be forbidden from selling more than 25 percent of their sales via any single e-commerce marketplace.

Beyond restricting companies like Oppo — Xiaomi prioritizes its own Mi.com site for sales — that 25 percent ruling is a headache for Amazon, which operates a number of joint ventures with Indian retailers. Those JVs were designed to circumvent a 2016 ruling that prevented foreign e-commerce businesses from owning inventory, but now they seem outlawed.

Cloudtail India (a 49:51 JV between Amazon and Catamaran Ventures) is Amazon’s biggest seller while another major one is Appario Retail, a collaboration with Patni Group. Together, both sell more than 25 percent of product on Amazon, use exclusive deals and are part-owned by Amazon. That’s three strikes.

Those rules will have Amazon and Walmart-Flipkart working to find alternatives, but there’s more with restrictions on discounts and cashback offers, which could massively cramp the appeal of online commerce, which has been to undercut brick and mortar retailers with heavy subsidies.

Here’s the relevant part of the note:

E-commerce entities providing marketplace will not directly or indirectly influence the sale price of goods or services and shall maintain level playing field…

Cash back provided by group companies of marketplace entity to buyers shall be fair and non-discriminatory.

Exactly what constitutes a “level playing field” or “fair” may be open to interpretation, but clearly this update gives offline retailers a route to protest pricing on online retail sites.

The first thought is that these new updates are focused on the core business model tenants that make e-commerce what it is today.

“It will kill competition and there will be nothing for online retailers to differentiate on,” Amarjeet Singh, a partner at KPMG, href="https://qz.com/india/1508340/indias-new-e-commerce-fdi-rules-may-hurt-amazon-flipkart/"> told Quartz in a comment.

The new regulation is widely seen as a response to concerns from smaller sellers, who feel marginalized and powerless compared to larger organizations. Now, with capital-intensive policies such as discounts, exclusive sales relationships and strategic investment off the table, smaller players will gain a foothold and be able to do more from e-commerce, that’s according to Kunal Bahl, CEO of Snapdeal — a niche e-commerce firm that once competed head-to-head with Flipkart and Amazon.

It’s shaping up to be a very different year for e-commerce in India in 2019.

People in China have a host of reasons not to go outdoors these days. They may be too busy to leave their office, wary of air pollution or have chosen to live isolated lives. Among them is an expanding young consumer base who prefers to dwell in the virtual world of video games, animes and comics over the tangible reality. More important, there’s an endless list of startups pandering to their impulse to stay indoors with services from online shopping to food delivery.

Two Chinese internet giants are chasing after this indoorsy crowd. Last week, food delivery giant Ele.me announced that it’s teamed up with youth entertainment site Bilibili on a one-off joint membership that will further keep young consumers at their desk.

Ele.me, which means “are you hungry?” in Chinese, was sold to ecommerce behemoth Alibaba in April. Bilibili, which went public in the U.S. this year, started as a video streaming service focused on animes and has evolved into a one-stop destination for all things related to youth cultures: Animes, comics, cosplay, video games and other niches that you and I may fail to name.

Their marriage gives subscribers the best of both worlds: Unlimited streaming of animes and deep discounts on food delivery orders. Bilibili has been doubling down on content investments in recent months, which saw it agree to buy out most of the comics assets of Netease, one of China’s largest internet companies. What’s better than binging on one’s favorite anime series and not having to leave home when the stomach growls? (Whether this is a healthy lifestyle is another topic.)

The promotion, which runs from December 23 to December 30, allows people to purchase the memberships of Bilibili and Ele.me at 25 yuan, or $3.63, a month. That’s a 15 yuan discount from what users would have to pay were they to subscribe to the two services separately. The rationality behind the tie-up is an overlapping Generation Z user base. By 2017, about 82 percent of Bilibili’s users are 8 to 28 years old, according to a report by QuestMobile. Meanwhile, more than 60 percent of the users who order food online in China are under 24 years old.

China’s food delivery market is set to top 243 billion yuan, or $35 billion, by the end of 2018, according to iiMedia. By then, China will have 355 million users of food delivery apps — or about 40 percent of its national population. Five years ago, there were just over 100 million users for this market.

The boom has jacked up the price tags of market leaders Ele.me, which was valued at $9.5 billion in the Alibaba deal, and Tencent-backed Meituan Dianping, which had a spectacular initial public offering in Hong Kong in September.

Alibaba and Bilibili call their joint membership “Zhai E Kuai,” a wordplay on “be otaku together.” The Japanese word “otaku” originally means “someone else’s venerable home” and later took on a new life to describe someone who is so obsessed with a subject or hobby to the point of not leaving home. Bilibili’s core users are often stereotypically described as otakus of animes or video games, though certainly not all of them shun the outside world.

Aside from Bilibili, Alibaba has also been pally with Starbucks as the two began integrating their rewards systems.

Memberships similar to Amazon Prime have become an increasingly popular tactic for China’s tech giants to drive revenue growth. Alibaba, for instance, has lumped services of its portfolio companies under 88 Membership that spans ecommerce (Tmall), fresh produce (Tmall), food delivery (Ele.me), video streaming (Youku), music streaming (Xiami), movie tickets (Taopiaopiao) among others. Tencent has taken a different approach to membership with its King Card mobile internet plan, a partnership with China’s major telco that gives users unlimited data usage on apps in Tencent’s ecosystem — from social networks, video streaming to games.

Some of you out there may be lucky enough to have received over the holidays a fancy new robot vacuum. Turns out it’s even more useful than you’d think: in addition to cleaning your home, it can scan its surroundings and produce a Doom level of your home! Just the right thing to ring in the new year: Hell on Earth.

It’s not an official iRobot feature, unfortunately, but rather a hack put together by veteran game engineer Rich Whitehouse. He noticed that Roombas were actually putting together some pretty detailed environment data with their sensors, and naturally felt this capability should be applied to a 25-year-old video game.

By combining Doom with Roomba, Whitehouse realized he would not only be able to make something fun, but to “unleash a truly terrible pun to plague humankind.” To wit: DOOMBA.

It works like this, though if you don’t have a Roomba 980, there’s no guarantee it’ll work at all: Using a special utility, your PC will detect the Roomba on the wireless network and begin tracking its movements and collected data. When the little robot has done its work, the data is saved in a file, which you can then convert to a Doom wad via DOOMBA, a plugin for Whitehouse’s Noesis image/model conversion app.

The shape of the level will be taken from your place, but of course things may look a little different. More monsters, probably. That depends on the randomization settings you choose, which control what weapons, critters, and other features show up in this hellish new version of your home.

It’s all free, except for Doom and the Roomba, so if you have both, get cracking. Thanks to Rich for this fun holiday distractio.

Epic Games is having its own Christmas hangover. On Wednesday, a number of Fortnite players reported long queues that time out and problems logging in to Fortnite’s servers. The company is aware of the issue and tweeted that it’s investigating the cause behind the outage that some users are running into when they try to log in.

We were able to replicate the problem around 1pm Pacific Time, with the game repeatedly throwing us into a queue for around five minutes before timing out. One time, we did successfully log in. When the log in failed we were met with the message “Unable to join the Fortnite login queue. Please try again later.”

Epic has pointed eager holiday players to its status page, where the company reports a “minor service outage” affecting Game Services. The page also notes that Login and Matchmaking are currently experiencing “degraded performance.” TechCrunch has reached out to Epic about the cause of the downtime.

While it’s not quite as catastrophic for an online game as a proper Christmas day outage, the time between Christmas and New Year’s is sure to be a massive week for Epic’s hit game. Given that Epic makes bank charging for cosmetic upgrades through an online store, we’d be curious how much revenue the company loses every minute Fortnite is down during a peak play time. On the other hand, we might rather not know.

SpaceX’s futuristic Starship interplanetary craft may embody the golden age of sci-fi in more ways than one: in addition to (theoretically) taking passengers from planet to planet, it may sport a shiny stainless steel skin that makes it look like the pulp covers of old.

Founder and CEO Elon Musk teased the possibility in a picture posted to Twitter, captioned simply “Stainless Steel Starship.” To be clear, this isn’t a full-on spacecraft, just part of a test vehicle that the company plans to use during the short “hopper” flights in 2019 to evaluate various systems.

As with most Musk tweets, this kicked off a storm of speculation and argument in the Twitterverse.

The choice surprised many because for years, modern spaceflight has been dependent on advanced composite materials like carbon fiber, which combine desirable physical properties with low weight. When metal has been required, aluminum or titanium are much more common. While some launch components, like the upper stage of the Atlas 5 rocket, have liberally used steel, it’s definitely not an obvious choice for a craft like the Starship, which will have to deal with both deep space and repeated reentry.

As Musk pointed out in subsequent comments, however, stainless steel has some advantages versus other materials when at extremely hot or cold temperatures.

This is a special full-hardness steel alloy mentioned as being among the 300 series of high-strength, heat-resistant alloys — not the plentiful, pliable stuff we all have in our kitchens and buildings. Musk also mentioned another “superalloy” called SX500 that SpaceX’s metallurgists have developed for use in the Raptor engines that will power the vehicle.

So why stainless? It’s likely all about reentry.

Many craft and reusable stages that have to face the heat of entering the atmosphere at high speed use “ablative” heat shielding that disintegrates or breaks away in a controlled fashion, carrying heat away from the vehicle.

It’s unlikely this is a possibility for Starship, however, as replacing and repairing this material would necessitate downtime and crews wherever and whenever it lands, and the craft is meant to be (eventually) a quick-turnaround ship with maximum reusability. Heat shielding that reflects and survives is a better bet for that — but an enormous engineering problem.

Scott Manley put together a nice video illustrating some of these ideas and speculations in detail:

Musk said before of the Starship (then still called BFR) that “almost the entire time it is reentering, it’s just trying to brake, while distributing that force over the most area possible.” Reentry will probably look more like a Space Shuttle-esque glide than a Falcon 9 first stage’s ballistic descent and engine braking.

The switch to stainless steel has the pleasant side effect of making the craft look really cool — more in line with sci-fi books and comics than their readers perhaps ever thought to hope. Paint jobs would burn right off, Musk said:

You can’t expect it to stay shiny for long, though; it may be stainless, but like a pan you left on the stove, stainless steel can still scorch and the bottom of the Starship will likely look pretty rough after a while. It’s all right — spacecraft developing a patina is a charming evolution.

Details are still few, and for all we know SpaceX could redesign the craft again based on how tests go. Next year will see the earliest hopper flights for Starship hardware and possibly the Super Heavy lower stage that will lift its great shiny bulk out of the lower atmosphere.

The technical documentation promised by Musk should arrive in March or April, but whether it will pertain solely to the test vehicle or give a glimpse at the craft SpaceX intends to send around the moon is anyone’s guess. At any rate you should expect more information to be spontaneously revealed before then at Musk’s discretion — or lack thereof.

News of high-profile cyber breaches has been uncharacteristically subdued in recent quarters. However, we recently learned that Marriott International/Starwood was the victim of the multi-year theft of personal information on up to 500 million customers — rivaled only by hacks against Yahoo in 2013 and 2014.

Is this a harbinger of a worse hacking landscape in 2019?

The answer is unequivocally yes. No question, cyber breaches have been a gigantic thorn in the global economy for years. But expect them to be even more rampant in the new year as chronically improving malware will be deployed more aggressively on more fronts.

In addition, as companies increasingly pursue digitization to drive efficiency, reduce costs and build data-driven businesses, they simultaneously move into the “target zone” of cyber attacks. As the digital economy expands, the threat landscape naturally follows suit. Compounding the situation is the use of machine learning and AI as hackers and other bad actors look to scale their bad behavior.

Look for AI-driven chatbots to go rogue, a substantial increase in crimeware-as-a-service, acceleration of the weaponization of data, a resurgence in ransomware and a significant increase in nation-stage cyberattacks. Also on a growth track is so-called cryptojacking — a quiet, more insidious avenue of profit that relies on invasive methods of initial access and drive-by scripts on websites to steal resources from unsuspecting victims.

Then, too, we will also see a substantial increase in software subversion, including the specific targeting of developers for attack and the likely proliferation of software update supply chain attacks.

Here is a mini dive into the top pending threats:

The emergence of AI-driven chatbots. In the new year, cybercriminals and black hat hackers will create malicious chatbots that try to socially engineer victims into clicking links, downloading files or sharing private information. A hijacked chatbot could easily misdirect victims to nefarious links rather than legitimate ones. Attackers are also likely to leverage web application flaws in legitimate websites to insert a malicious chatbot into a site that doesn’t have one.

Attacks on cities with crimeware-as-a-service, a new component of the underground economy. Adversaries will leverage new tools that among other things attack data integrity, disabling computers to the point of requiring mandatory hardware replacements. Terrorist-related groups will be the likely culprits.

A significant increase in nation-state attacks. Russia has been a leader in using targeted cyberactions as part of larger objectives. Earlier this year, for example, the FBI disclosed that Sofacy group, a Russian persistent threat actor, infected more than 500,000 home office routers and network attached to storage devices worldwide to remote control them. Look for other nation-states to follow the same sort of playbook, helped by billions of poorly secured IoT devices.

The growing weaponization of data. Already a huge problem, it is certain to worsen, notwithstanding efforts among some technology giants to enhance user security and privacy. Balancing the negatives with the positives, tens of millions of comprised web users have begun to seriously question how much they really benefit from the internet.

Consider, for example, Facebook, which has made no secret of using personal data and “private” correspondence to annually generate billions of dollars in profits. Users willingly “like” interests and brands, volunteering personal information. This enables Facebook to provide a more complete image of its user base — a gold mine for advertisers.

Much worse, Facebook earlier this year tried to manipulate user moods through an “emotional contagion” experiment. This pitted users against their peers to influence their emotions, i.e. the weaponization of data.

A resurgence in ransomware. Ransomware exploded onto the scene in 2017 following the WannaCry outbreak and a series of successful follow-up ransomware attacks targeting high-profile victims. According to the FBI, total ransomware payments in the U.S. have in some years exceeded $1 billion. There were scant high-profile ransomware victims in recent months, but the problem is highly likely to bounce back strongly in 2019. Ransomware attacks come in waves, and the next one is due.

Increased subversion of software development processes and attacks on software update supply chains. Regarding software development, malware has already been detected in select open-source software libraries. Meanwhile, software update supply chain attacks violate software vendor update packages. When customers download and install updates, they unwittingly introduce malware into their system. In 2017, there was an average of one attack every month, compared to virtually none in 2016, according to Symantec. The trend continued in 2018 and will become worse next year.

More cyber attacks on satellites. In June, Symantec reported that an unnamed group had successfully targeted the satellite communications of Southeast Asia telecom companies involved in geospatial mapping and imaging. Symantec also reported attacks originating in China last year on a defense contractor’s satellite.

Separately, we learned in August at the annual Black Hat information security conference that the satellite communications used by ships, planes and the military to connect to the internet are vulnerable to hackers. In the worst-case scenario, the research said, hackers could carry out “cyber-physical attacks” that could turn satellite antennas into weapons that essentially operate like microwave ovens.

Fortunately, the cyber outlook for 2019 is not altogether grim.

On the cybersecurity side, a growing number of experts believe that multi-factor authentication will become the standard for all online businesses, abandoning password-only access. In addition, a number of states are expected to adopt some version of Europe’s strict General Data Protection Legislation. California, for one, has already passed legislation that will make it easier for consumers to sue companies after a data breach, starting in 2020.

The upshot is that individuals, businesses and government entities need to do everything possible to improve the state of their cybersecurity. They cannot eliminate breaches, but they can avert some and improve the chances of mitigating them.