encryption

Auto Added by WPeMatico

1 2 3 7

LOVE unveils a modern video messaging app with a business model that puts users in control

A London-headquartered startup called LOVE, valued at $17 million following its pre-seed funding, aims to redefine how people stay in touch with close family and friends. The company is launching a messaging app that offers a combination of video calling as well as asynchronous video and audio messaging, in an ad-free, privacy-focused experience with a number of bells and whistles, including artistic filters and real-time transcription and translation features.

But LOVE’s bigger differentiator may not be its product alone, but rather the company’s mission.

LOVE aims for its product direction to be guided by its user base in a democratic fashion as opposed to having the decisions made about its future determined by an elite few at the top of some corporate hierarchy. In addition, the company’s longer-term goal is ultimately to hand over ownership of the app and its governance to its users, the company says.

These concepts have emerged as part of bigger trends towards a sort of “Web 3.0,” or next phase of internet development, where services are decentralized, user privacy is elevated, data is protected and transactions take place on digital ledgers, like a blockchain, in a more distributed fashion.

LOVE’s founders are proponents of this new model, including serial entrepreneur Samantha Radocchia, who previously founded three companies and was an early advocate for the blockchain as the co-founder of Chronicled, an enterprise blockchain company focused on the pharmaceutical supply chain.

As someone who’s been interested in emerging technology since her days of writing her anthropology thesis on currency exchanges in “Second Life’s” virtual world, she’s now faculty at Singularity University, where she’s given talks about blockchain, AI, Internet of Things, Future of Work, and other topics. She’s also authored an introductory guide to the blockchain with her book “Bitcoin Pizza.”

Co-founder Christopher Schlaeffer, meanwhile, held a number of roles at Deutsche Telekom, including chief product & innovation officer, corporate development officer and chief strategy officer, where he along with Google execs introduced the first mobile phone to run Android. He was also chief digital officer at the telecommunication services company VEON.

The two crossed paths after Schlaeffer had already begun the work of organizing a team to bring LOVE to the public, which includes co-founders Chief Technologist Jim Reeves, also previously of VEON, and Chief Designer Timm Kekeritz, previously an interaction designer at international design firm IDEO in San Francisco, design director at IXDS and founder of design consultancy Raureif in Berlin, among other roles.

Image Credits: LOVE

Explained Radocchia, what attracted her to join as CEO was the potential to create a new company that upholds more positive values than what’s often seen today — in fact, the brand name “LOVE” is a reference to this aim. She was also interested in the potential to think through what she describes as “new business models that are not reliant on advertising or harvesting the data of our users,” she says.

To that end, LOVE plans to monetize without any advertising. While the company isn’t ready to explain its business model in full, it would involve users opting in to services through granular permissions and membership, we’re told.

“We believe our users will much rather be willing to pay for services they consciously use and grant permissions to in a given context than have their data used for an advertising model which is simply not transparent,” says Radocchia.

LOVE expects to share more about the model next year.

As for the LOVE app itself, it’s a fairly polished mobile messenger offering an interesting combination of features. Like any other video chat app, you can video call with friends and family, either in one-on-one calls or in groups. Currently, LOVE supports up to five call participants, but expects to expand that as it scales. The app also supports video and audio messaging for asynchronous conversations. There are already tools that offer this sort of functionality on the market, of course — like WhatsApp, with its support for audio messages, or video messenger Marco Polo. But they don’t offer quite the same expanded feature set.

Image Credits: LOVE

For starters, LOVE limits its video messages to 60 seconds, for brevity’s sake. (As anyone who’s used Marco Polo knows, videos can become a bit rambling, which makes it harder to catch up when you’re behind on group chats.) In addition, LOVE allows you to both watch the video content as well as read the real-time transcription of what’s being said — the latter which comes in handy not only for accessibility’s sake, but also for those times you want to hear someone’s messages but aren’t in a private place to listen or don’t have headphones. Conversations can also be translated into 50 languages.

“A lot of the traditional communication or messenger products are coming from a paradigm that has always been text-based,” explains Radocchia. “We’re approaching it completely differently. So while other platforms have a lot of the features that we do, I think that…the perspective that we’ve approached it has completely flipped it on its head,” she continues. “As opposed to bolting video messages on to a primarily text-based interface, [LOVE is] actually doing it in the opposite way and adding text as a sort of a magically transcribed add-on — and something that you never, hopefully, need to be typing out on your keyboard again,” she adds.

The app’s user interface, meanwhile, has been designed to encourage eye-to-eye contact with the speaker to make conversations feel more natural. It does this by way of design elements where bubbles float around as you’re speaking and the bubble with the current speaker grows to pull your focus away from looking at yourself. The company is also working with the curator of Serpentine Gallery in London, Hans Ulrich-Obrist, to create new filters that aren’t about beautification or gimmicks, but are instead focused on introducing a new form of visual expression that makes people feel more comfortable on camera.

For the time being, this has resulted in a filter that slightly abstracts your appearance, almost in the style of animation or some other form of visual arts.

The app claims to use end-to-end encryption and the automatic deletion of its content after seven days — except for messages you yourself recorded, if you’ve chosen to save them as “memorable moments.”

“One of our commitments is to privacy and the right-to-forget,” says Radocchia. “We don’t want to be or need to be storing any of this information.”

LOVE has been soft-launched on the App Store, where it’s been used with a number of testers and is working to organically grow its user base through an onboarding invite mechanism that asks users to invite at least three people to join. This same onboarding process also carefully explains why LOVE asks for permissions — like using speech recognition to create subtitles.

LOVE says its valuation is around $17 million USD following pre-seed investments from a combination of traditional startup investors and strategic angel investors across a variety of industries, including tech, film, media, TV and financial services. The company will raise a seed round this fall.

The app is currently available on iOS, but an Android version will arrive later in the year. (Note that LOVE does not currently support the iOS 15 beta software, where it has issues with speech transcription and in other areas. That should be resolved next week, following an app update now in the works.)

Powered by WPeMatico

Opaque raises $9.5M seed to secure sensitive data in the cloud

Opaque, a new startup born out of Berkeley’s RISELab, announced a $9.5 million seed round today to build a solution to access and work with sensitive data in the cloud in a secure way, even with multiple organizations involved. Intel Capital led today’s investment with participation by Race Capital, The House Fund and FactoryHQ.

The company helps customers work with secure data in the cloud while making sure the data they are working on is not being exposed to cloud providers, other research participants or anyone else, says company president Raluca Ada Popa.

“What we do is we use this very exciting hardware mechanism called Enclave, which [operates] deep down in the processor — it’s a physical black box — and only gets decrypted there. […] So even if somebody has administrative privileges in the cloud, they can only see encrypted data,” she explained.

Company co-founder Ion Stoica, who was a co-founder at Databricks, says the startup’s solution helps resolve two conflicting trends. On one hand, businesses increasingly want to make use of data, but at the same time are seeing a growing trend toward privacy. Opaque is designed to resolve this by giving customers access to their data in a safe and fully encrypted way.

The company describes the solution as “a novel combination of two key technologies layered on top of state-of-the-art cloud security—secure hardware enclaves and cryptographic fortification.” This enables customers to work with data — for example to build machine learning models — without exposing the data to others, yet while generating meaningful results.

Popa says this could be helpful for hospitals working together on cancer research, who want to find better treatment options without exposing a given hospital’s patient data to other hospitals, or banks looking for money laundering without exposing customer data to other banks, as a couple of examples.

Investors were likely attracted to the pedigree of Popa, a computer security and applied crypto professor at UC Berkeley and Stoica, who is also a Berkeley professor and co-founded Databricks. Both helped found RISELabs at Berkeley where they developed the solution and spun it out as a company.

Mark Rostick, vice president and senior managing director at lead investor Intel Capital says his firm has been working with the founders since the startup’s earliest days, recognizing the potential of this solution to help companies find complex solutions even when there are multiple organizations involved sharing sensitive data.

“Enterprises struggle to find value in data across silos due to confidentiality and other concerns. Confidential computing unlocks the full potential of data by allowing organizations to extract insights from sensitive data while also seamlessly moving data to the cloud without compromising security or privacy,” Rostick said in a statement

He added, “Opaque bridges the gap between data security and cloud scale and economics, thus enabling inter-organizational and intra-organizational collaboration.”

 

Powered by WPeMatico

For startups, trustworthy security means going above and beyond compliance standards

When it comes to meeting compliance standards, many startups are dominating the alphabet. From GDPR and CCPA to SOC 2, ISO27001, PCI DSS and HIPAA, companies have been charging toward meeting the compliance standards required to operate their businesses.

Today, every healthcare founder knows their product must meet HIPAA compliance, and any company working in the consumer space would be well aware of GDPR, for example.

But a mistake many high-growth companies make is that they treat compliance as a catchall phrase that includes security. Thinking this could be an expensive and painful error. In reality, compliance means that a company meets a minimum set of controls. Security, on the other hand, encompasses a broad range of best practices and software that help address risks associated with the company’s operations.

It makes sense that startups want to tackle compliance first. Being compliant plays a big role in any company’s geographical expansion to regulated markets and in its penetration to new industries like finance or healthcare. So in many ways, achieving compliance is a part of a startup’s go-to-market kit. And indeed, enterprise buyers expect startups to check the compliance box before signing on as their customer, so startups are rightfully aligning around their buyers’ expectations.

One of the best ways startups can begin tackling security is with an early security hire.

With all of this in mind, it’s not surprising that we’ve witnessed a trend where startups achieve compliance from the very early days and often prioritize this motion over developing an exciting feature or launching a new campaign to bring in leads, for instance.

Compliance is an important milestone for a young company and one that moves the cybersecurity industry forward. It forces startup founders to put security hats on and think about protecting their company, as well as their customers. At the same time, compliance provides comfort to the enterprise buyer’s legal and security teams when engaging with emerging vendors. So why is compliance alone not enough?

First, compliance doesn’t mean security (although it is a step in the right direction). It is more often than not that young companies are compliant while being vulnerable in their security posture.

What does it look like? For example, a software company may have met SOC 2 standards that require all employees to install endpoint protection on their devices, but it may not have a way to enforce employees to actually activate and update the software. Furthermore, the company may lack a centrally managed tool for monitoring and reporting to see if any endpoint breaches have occurred, where, to whom and why. And, finally, the company may not have the expertise to quickly respond to and fix a data breach or attack.

Therefore, although compliance standards are met, several security flaws remain. The end result is that startups can suffer security breaches that end up costing them a bundle. For companies with under 500 employees, the average security breach costs an estimated $7.7 million, according to a study by IBM, not to mention the brand damage and lost trust from existing and potential customers.

Second, an unforeseen danger for startups is that compliance can create a false sense of safety. Receiving a compliance certificate from objective auditors and renowned organizations could give the impression that the security front is covered.

Once startups start gaining traction and signing upmarket customers, that sense of security grows, because if the startup managed to acquire security-minded customers from the F-500, being compliant must be enough for now and the startup is probably secure by association. When charging after enterprise deals, it’s the buyer’s expectations that push startups to achieve SOC 2 or ISO27001 compliance to satisfy the enterprise security threshold. But in many cases, enterprise buyers don’t ask sophisticated questions or go deeper into understanding the risk a vendor brings, so startups are never really called to task on their security systems.

Third, compliance only deals with a defined set of knowns. It doesn’t cover anything that is unknown and new since the last version of the regulatory requirements were written.

For example, APIs are growing in use, but regulations and compliance standards have yet to catch up with the trend. So an e-commerce company must be PCI-DSS compliant to accept credit card payments, but it may also leverage multiple APIs that have weak authentication or business logic flaws. When the PCI standard was written, APIs weren’t common, so they aren’t included in the regulations, yet now most fintech companies rely heavily on them. So a merchant may be PCI-DSS compliant, but use nonsecure APIs, potentially exposing customers to credit card breaches.

Startups are not to blame for the mix-up between compliance and security. It is difficult for any company to be both compliant and secure, and for startups with limited budget, time or security know-how, it’s especially challenging. In a perfect world, startups would be both compliant and secure from the get-go; it’s not realistic to expect early-stage companies to spend millions of dollars on bulletproofing their security infrastructure. But there are some things startups can do to become more secure.

One of the best ways startups can begin tackling security is with an early security hire. This team member might seem like a “nice to have” that you could put off until the company reaches a major headcount or revenue milestone, but I would argue that a head of security is a key early hire because this person’s job will be to focus entirely on analyzing threats and identifying, deploying and monitoring security practices. Additionally, startups would benefit from ensuring their technical teams are security-savvy and keep security top of mind when designing products and offerings.

Another tactic startups can take to bolster their security is to deploy the right tools. The good news is that startups can do so without breaking the bank; there are many security companies offering open-source, free or relatively affordable versions of their solutions for emerging companies to use, including Snyk, Auth0, HashiCorp, CrowdStrike and Cloudflare.

A full security rollout would include software and best practices for identity and access management, infrastructure, application development, resiliency and governance, but most startups are unlikely to have the time and budget necessary to deploy all pillars of a robust security infrastructure.

Luckily, there are resources like Security 4 Startups that offer a free, open-source framework for startups to figure out what to do first. The guide helps founders identify and solve the most common and important security challenges at every stage, providing a list of entry-level solutions as a solid start to building a long-term security program. In addition, compliance automation tools can help with continuous monitoring to ensure these controls stay in place.

For startups, compliance is critical for establishing trust with partners and customers. But if this trust is eroded after a security incident, it will be nearly impossible to regain it. Being secure, not only compliant, will help startups take trust to a whole other level and not only boost market momentum, but also make sure their products are here to stay.

So instead of equating compliance with security, I suggest expanding the equation to consider that compliance and security equal trust. And trust equals business success and longevity.

Powered by WPeMatico

Cape Privacy announces $20M Series A to help companies securely share data

Cape Privacy, the early-stage startup that wants to make it easier for companies to share sensitive data in a secure and encrypted way, announced a $20 million Series A today.

Evolution Equity Partners led the round with participation from new investors Tiger Global Management, Ridgeline Partners and Downing Lane. Existing investors Boldstart Ventures, Version One Ventures, Haystack, Radical Ventures and a slew of individual investors also participated. The company has now raised approximately $25 million, including a $5 million seed investment we covered last June.

Cape Privacy CEO Ché Wijesinghe says that the product has evolved quite a bit since we last spoke. “We have really focused our efforts on encrypted learning, which is really the core technology, which was fundamental to allowing the multi-party compute capabilities between two organizations or two departments to work and build machine learning models on encrypted data,” Wijesinghe told me.

Wijesinghe says that a key business case involves a retail company owned by a private equity firm sharing data with a large financial services company, which is using the data to feed its machine learning models. In this case, sharing customer data, it’s essential to do it in a secure way and that is what Cape Privacy claims is its primary value prop.

He said that while the data sharing piece is the main focus of the company, it has data governance and compliance components to be sure that entities sharing data are doing so in a way that complies with internal and external rules and regulations related to the type of data.

While the company is concentrating on financial services for now, because Wijesinghe has been working with these companies for years, he sees uses cases far beyond a single vertical, including pharmaceuticals, government, healthcare telco and manufacturing.

“Every single industry needs this and so we look at the value of what Cape’s encrypted learning can provide as really being something that can be as transformative and be as impactful as what SSL was for the adoption of the web browser,” he said.

Richard Seewald, founding and managing partner at lead investor Evolution Equity Partners likes that ability to expand the product’s markets. “The application in Financial Services is only the beginning. Cape has big plans in life sciences and government where machine learning will help make incredible advances in clinical trials and counter-terrorism for example. We anticipate wide adoption of Cape’s technology across many use cases and industries,” he said.

The company has recently expanded to 20 people and Wijesinghe, who is half Asian, takes DEI seriously. “We’ve been very, very deliberate about our DEI efforts, and I think one of the things that we pride ourselves in is that we do foster a culture of acceptance, that it’s not just about diversity in terms of color, race, gender, but we just hired our first nonbinary employee,” he said,

Part of making people feel comfortable and included involves training so that fellow employees have a deeper understanding of the cultural differences. The company certainly has diversity across geographies with employees in 10 different time zones.

The company is obviously remote with a spread like that, but once the pandemic is over, Wijesinghe sees bringing people together on occasion with New York City as the hub for the company, where people from all over the world can fly in and get together.

Powered by WPeMatico

Enterprise security attackers are one password away from your worst day

If the definition of insanity is doing the same thing over and over and expecting a different outcome, then one might say the cybersecurity industry is insane.

Criminals continue to innovate with highly sophisticated attack methods, but many security organizations still use the same technological approaches they did 10 years ago. The world has changed, but cybersecurity hasn’t kept pace.

Distributed systems, with people and data everywhere, mean the perimeter has disappeared. And the hackers couldn’t be more excited. The same technology approaches, like correlation rules, manual processes and reviewing alerts in isolation, do little more than remedy symptoms while hardly addressing the underlying problem.

The current risks aren’t just technology problems; they’re also problems of people and processes.

Credentials are supposed to be the front gates of the castle, but as the SOC is failing to change, it is failing to detect. The cybersecurity industry must rethink its strategy to analyze how credentials are used and stop breaches before they become bigger problems.

It’s all about the credentials

Compromised credentials have long been a primary attack vector, but the problem has only grown worse in the midpandemic world. The acceleration of remote work has increased the attack footprint as organizations struggle to secure their network while employees work from unsecured connections. In April 2020, the FBI said that cybersecurity attacks reported to the organization grew by 400% compared to before the pandemic. Just imagine where that number is now in early 2021.

It only takes one compromised account for an attacker to enter the active directory and create their own credentials. In such an environment, all user accounts should be considered as potentially compromised.

Nearly all of the hundreds of breach reports I’ve read have involved compromised credentials. More than 80% of hacking breaches are now enabled by brute force or the use of lost or stolen credentials, according to the 2020 Data Breach Investigations Report. The most effective and commonly-used strategy is credential stuffing attacks, where digital adversaries break in, exploit the environment, then move laterally to gain higher-level access.

Powered by WPeMatico

5 questions every IT team should be able to answer

Now more than ever, IT teams play a vital role in keeping their businesses running smoothly and securely. With all of the assets and data that are now broadly distributed, a CEO depends on their IT team to ensure employees remain connected and productive and that sensitive data remains protected.

CEOs often visualize and measure things in terms of dollars and cents, and in the face of continuing uncertainty, IT — along with most other parts of the business — is facing intense scrutiny and tightening of budgets. So, it is more important than ever to be able to demonstrate that they’ve made sound technology investments and have the agility needed to operate successfully in the face of continued uncertainty.

For a CEO to properly understand risk exposure and make the right investments, IT departments have to be able to confidently communicate what types of data are on any given device at any given time.

Here are five questions that IT teams should be ready to answer when their CEO comes calling:

What have we spent our money on?

Or, more specifically, exactly how many assets do we have? And, do we know where they are? While these seem like basic questions, they can be shockingly difficult to answer … much more difficult than people realize. The last several months in the wake of the COVID-19 outbreak have been the proof point.

With the mass exodus of machines leaving the building and disconnecting from the corporate network, many IT leaders found themselves guessing just how many devices had been released into the wild and gone home with employees.

One CIO we spoke to estimated they had “somewhere between 30,000 and 50,000 devices” that went home with employees, meaning there could have been up to 20,000 that were completely unaccounted for. The complexity was further compounded as old devices were pulled out of desk drawers and storage closets to get something into the hands of employees who were not equipped to work remotely. Companies had endpoints connecting to corporate network and systems that they hadn’t seen for years — meaning they were out-of-date from a security perspective as well.

This level of uncertainty is obviously unsustainable and introduces a tremendous amount of security risk. Every endpoint that goes unaccounted for not only means wasted spend but also increased vulnerability, greater potential for breach or compliance violation, and more. In order to mitigate these risks, there needs to be a permanent connection to every device that can tell you exactly how many assets you have deployed at any given time — whether they are in the building or out in the wild.

Are our devices and data protected?

Device and data security go hand in hand; without the ability to see every device that is deployed across an organization, it becomes next to impossible to know what data is living on those devices. When employees know they are leaving the building and going to be off network, they tend to engage in “data hoarding.”

Powered by WPeMatico

Google launches Android Enterprise Essentials, a mobile device management service for small businesses

Google today introduced a new mobile management and security solution, Android Enterprise Essentials, which, despite its name, is actually aimed at small to medium-sized businesses. The company explains this solution leverages Google’s experience in building Android Enterprise device management and security tools for larger organizations in order to come up with a simpler solution for those businesses with smaller budgets.

The new service includes the basics in mobile device management, with features that allow smaller businesses to require their employees to use a lock screen and encryption to protect company data. It also prevents users from installing apps outside the Google Play Store via the Google Play Protect service, and allows businesses to remotely wipe all the company data from phones that are lost or stolen.

As Google explains, smaller companies often handle customer data on mobile devices, but many of today’s remote device management solutions are too complex for small business owners, and are often complicated to get up-and-running.

Android Enterprise Essentials attempts to make the overall setup process easier by eliminating the need to manually activate each device. And because the security policies are applied remotely, there’s nothing the employees themselves have to configure on their own phones. Instead, businesses that want to use the new solution will just buy Android devices from a reseller to hand out or ship to employees with policies already in place.

Though primarily aimed at smaller companies, Google notes the solution may work for select larger organizations that want to extend some basic protections to devices that don’t require more advanced management solutions. The new service can also help companies get started with securing their mobile device inventory, before they move up to more sophisticated solutions over time, including those from third-party vendors.

The company has been working to better position Android devices for use in workplace over the past several years, with programs like Android for Work, Android Enterprise Recommended, partnerships focused on ridding the Play Store of malware, advanced device protections for high-risk users, endpoint management solutions, and more.

Google says it will roll out Android Enterprise Essentials initially with distributors Synnex in the U.S. and Tech Data in the U.K. In the future, it will make the service available through additional resellers as it takes the solution global in early 2021. Google will also host an online launch event and demo in January for interested customers.

Powered by WPeMatico

DataFleets keeps private data useful and useful data private with federated learning and $4.5M seed

As you may already know, there’s a lot of data out there, and some of it could actually be pretty useful. But privacy and security considerations often put strict limitations on how it can be used or analyzed. DataFleets promises a new approach by which databases can be safely accessed and analyzed without the possibility of privacy breaches or abuse — and has raised a $4.5 million seed round to scale it up.

To work with data, you need to have access to it. If you’re a bank, that means transactions and accounts; if you’re a retailer, that means inventories and supply chains, and so on. There are lots of insights and actionable patterns buried in all that data, and it’s the job of data scientists and their ilk to draw them out.

But what if you can’t access the data? After all, there are many industries where it is not advised or even illegal to do so, such as in healthcare. You can’t exactly take a whole hospital’s medical records, give them to a data analysis firm, and say “sift through that and tell me if there’s anything good.” These, like many other data sets, are too private or sensitive to allow anyone unfettered access. The slightest mistake — let alone abuse — could have serious repercussions.

In recent years a few technologies have emerged that allow for something better, though: analyzing data without ever actually exposing it. It sounds impossible, but there are computational techniques for allowing data to be manipulated without the user ever actually having access to any of it. The most widely used one is called homomorphic encryption, which unfortunately produces an enormous, orders-of-magnitude reduction in efficiency — and big data is all about efficiency.

This is where DataFleets steps in. It hasn’t reinvented homomorphic encryption, but has sort of sidestepped it. It uses an approach called federated learning, where instead of bringing the data to the model, they bring the model to the data.

DataFleets integrates with both sides of a secure gap between a private database and people who want to access that data, acting as a trusted agent to shuttle information between them without ever disclosing a single byte of actual raw data.

Illustration showing how a model can be created without exposing data.

Image Credits: DataFleets

Here’s an example. Say a pharmaceutical company wants to develop a machine-learning model that looks at a patient’s history and predicts whether they’ll have side effects with a new drug. A medical research facility’s private database of patient data is the perfect thing to train it. But access is highly restricted.

The pharma company’s analyst creates a machine-learning training program and drops it into DataFleets, which contracts with both them and the facility. DataFleets translates the model to its own proprietary runtime and distributes it to the servers where the medical data resides; within that sandboxed environment, it grows into a strapping young ML agent, which when finished is translated back into the analyst’s preferred format or platform. The analyst never sees the actual data, but has all the benefits of it.

Screenshot of the DataFleets interface. Look, it’s the applications that are meant to be exciting. Image Credits: DataFleets

It’s simple enough, right? DataFleets acts as a sort of trusted messenger between the platforms, undertaking the analysis on behalf of others and never retaining or transferring any sensitive data.

Plenty of folks are looking into federated learning; the hard part is building out the infrastructure for a wide-ranging enterprise-level service. You need to cover a huge amount of use cases and accept an enormous variety of languages, platforms and techniques, and of course do it all totally securely.

“We pride ourselves on enterprise readiness, with policy management, identity-access management, and our pending SOC 2 certification,” said DataFleets COO and co-founder Nick Elledge. “You can build anything on top of DataFleets and plug in your own tools, which banks and hospitals will tell you was not true of prior privacy software.”

But once federated learning is set up, all of a sudden the benefits are enormous. For instance, one of the big issues today in combating COVID-19 is that hospitals, health authorities, and other organizations around the world are having difficulty, despite their willingness, in securely sharing data relating to the virus.

Everyone wants to share, but who sends whom what, where is it kept, and under whose authority and liability? With old methods, it’s a confusing mess. With homomorphic encryption it’s useful but slow. With federated learning, theoretically, it’s as easy as toggling someone’s access.

Because the data never leaves its “home,” this approach is essentially anonymous and thus highly compliant with regulations like HIPAA and GDPR, another big advantage. Elledge notes: “We’re being used by leading healthcare institutions who recognize that HIPAA doesn’t give them enough protection when they are making a data set available for third parties.”

Of course there are less noble, but no less viable, examples in other industries: Wireless carriers could make subscriber metadata available without selling out individuals; banks could sell consumer data without violating anyone in particular’s privacy; bulky datasets like video can sit where they are instead of being duplicated and maintained at great expense.

The company’s $4.5 million seed round is seemingly evidence of confidence from a variety of investors (as summarized by Elledge): AME Cloud Ventures (Jerry Yang of Yahoo) and Morado Ventures, Lightspeed Venture Partners, Peterson Ventures, Mark Cuban, LG, Marty Chavez (president of the board of overseers of Harvard), Stanford-StartX fund, and three unicorn founders (Rappi, Quora and Lucid).

With only 11 full-time employees DataFleets appears to be doing a lot with very little, and the seed round should enable rapid scaling and maturation of its flagship product. “We’ve had to turn away or postpone new customer demand to focus on our work with our lighthouse customers,” Elledge said. They’ll be hiring engineers in the U.S. and Europe to help launch the planned self-service product next year.

“We’re moving from a data ownership to a data access economy, where information can be useful without transferring ownership,” said Elledge. If his company’s bet is on target, federated learning is likely to be a big part of that going forward.

Powered by WPeMatico

Decrypted: How Twitter was hacked, GitHub DMCA backfires

One week to the U.S. presidential election and things are getting spicy.

It’s not just the rhetoric — hackers are actively working to disrupt the election, officials have said, and last week they came with a concrete example and an unusually quick pointing of blame.

On Wednesday night, Director of National Intelligence John Ratcliffe blamed Iran for an email operation designed to intimidate voters in Florida into voting for President Trump “or else.” Ratcliffe, who didn’t take any questions from reporters and has been accused of politicizing the typically impartial office, said Iran had used voter registration data — which is largely public in the U.S. — to send emails that looked like they came from the far-right group the Proud Boys. Google security researchers also linked the campaign to Iran, which denied claims of its involvement. It’s estimated about 2,500 emails went through in the end, with the rest getting caught in spam filters.

The announcement was lackluster in detail. But experts like John Hultquist, who heads intelligence analysis at FireEye-owned security firm Mandiant, said the incident is “clearly aimed at undermining voter confidence,” just as the Russians attempted during the 2016 election.

 


THE BIG PICTURE

Twitter was hacked using a fake VPN portal, New York investigation finds

The hackers who broke into Twitter’s network used a fake VPN page to steal the credentials — and two-factor authentication code — of an employee, an investigation by New York’s Department of Financial Affairs found. The state tax division got involved after the hackers then hijacked user accounts using an internal “admin tool” to spread a cryptocurrency scam.

In a report published last week, the department said the hackers called several Twitter employees and used social engineering to trick one employee into entering their username and password on a site that looked like the company’s VPN portal, which most employees use to access the network from home during the pandemic.

Twitter Hack Update: We knew the attackers used the phone & pretended to be IT Support, but now we know the criminals specifically said they were calling about VPN issues, taking advantage of COVID-19 remote work strain. Sadly, these pretexts work often. https://t.co/kKe8XO3MCJ pic.twitter.com/fpE6Afcij1

— Rachel Tobac (@RachelTobac) October 20, 2020

“As the employee entered their credentials into the phishing website, the hackers would simultaneously enter the information into the real Twitter website. This false log-in generated a [two-factor authentication] notification requesting that the employees authenticate themselves, which some of the employees did,” wrote the report. Once onto the network using the employee’s VPN credentials, the hackers used that access to investigate how to access the company’s internal tools.

Twitter said in September that its employees would receive hardware security keys, which would make it far more difficult for a repeat phishing attack to be successful.

Open-source YouTube download tool hit by DMCA takedown, but backfires

Powered by WPeMatico

Strike Graph raises $3.9M to help automate security audits

Compliance automation isn’t exactly the most exciting topic, but security audits are big business and companies that aim to get a SOC 2, ISO 207001 or FedRamp certification can often spend six figures to get through the process with the help of an auditing service. Seattle-based Strike Graph, which is launching today and announcing a $3.9 million seed funding round, wants to automate as much of this process as possible.

The company’s funding round was led by Madrona Venture Group, with participation from Amplify.LA, Revolution’s Rise of the Rest Seed Fund and Green D Ventures.

Strike Graph co-founder and CEO Justin Beals tells me that the idea for the company came to him during his time as CTO at machine learning startup Koru (which had a bit of an odd exit last year). To get enterprise adoption for that service, the company had to get a SOC 2 security certification. “It was a real challenge, especially for a small company. In talking to my colleagues, I just recognized how much of a challenge it was across the board. And so when it was time for the next startup, I was just really curious,” he told me.

Image Credits: Strike Graph

Together with his co-founder Brian Bero, he incubated the idea at Madrona Venture Labs, where he spent some time as Entrepreneur in Residence after Koru.

Beals argues that today’s process tends to be slow, inefficient and expensive. The idea behind Strike Graph, unsurprisingly, is to remove as many of these inefficiencies as is currently possible. The company itself, it is worth noting, doesn’t provide the actual audit service. Businesses will still need to hire an auditing service for that. But Beals also argues that the bulk of what companies are paying for today is pre-audit preparation.

“We do all that preparation work and preparing you and then, after your first audit, you have to go and renew every year. So there’s an important maintenance of that information.”

Image Credits: Strike Graph

When customers come to Strike Graph, they fill out a risk assessment. The company takes that and can then provide them with controls for how to improve their security posture — both to pass the audit and to secure their data. Beals also noted that soon, Strike Graph will be able to help businesses automate the collection of evidence for the audit (say your encryption settings) and can pull that in regularly. Certifications like SOC 2, after all, require companies to have ongoing security practices in place and get re-audited every 12 months. Automated evidence collection will launch in early 2021, once the team has built out the first set of its integrations to collect that data.

That’s also where the company, which mostly targets mid-size businesses, plans to spend a lot of its new funding. In addition, the company plans to focus on its marketing efforts, mostly around content marketing and educating its potential customers.

“Every company, big or small, that sells a software solution must address a broad set of compliance requirements in regards to security and privacy. Obtaining the certifications can be a burdensome, opaque and expensive process. Strike Graph is applying intelligent technology to this problem — they help the company identify the appropriate risks, enable the audit to run smoothly and then automate the compliance and testing going forward,” said Hope Cochran, managing director at Madrona Venture Group. “These audits were a necessary pain when I was a CFO, and Strike Graph’s elegant solution brings together teams across the company to move the business forward faster.”

Powered by WPeMatico

1 2 3 7