Hack

Auto Added by WPeMatico

This $20 DIY kit makes your NES, SNES or Mega Drive controller wireless

I have to hand it to 8BitDo. At first I thought they were just opportunistically hawking cheap hunks of plastic in an era of unparalleled nostalgia for retro games, but… well, who am I kidding? That’s exactly what they’re doing. But they’re doing it well. And these new DIY kits are the latest sign that they actually understand their most obsessive customers.

While you can of course purchase fully formed controllers and adapters from the company that let your retro consoles ride the wireless wave of the future, not everyone is ready to part with their original hardware.

I, for example, have had my Super Nintendo for 25 years or so — its yellowing, cracked bulk and controllers, all-over stains and teeth marks compelling all my guests to make an early exit. I consider it part of my place’s unique charm, but more importantly I’m used to the way these controllers feel and look — they’re mine.

8BitDo understands me, along with the rest of the wretches out there who can’t part with the originals out of some twisted concept of loyalty or authenticity. So they’re giving us the option to replace the controllers’ aging guts with a fresh new board equipped with wireless connectivity, making it a healthy hybrid of the past and present.

If you’re the type (as I am) that worries that a modern controller will break in ways that an SNES controller would find laughable, if it could laugh, then this will likely strike your fancy. All you do is take apart your gamepad (if you can stand to do so), pull out the original PCB (and save it, of course), and pop in the new one.

You’ll be using more or less all the same parts as these famously durable controllers came with (check out this teardown). The way the buttons feel shouldn’t change at all, since the mechanical parts aren’t being replaced, just the electronics that they activate. It runs on a rechargeable battery inside that you recharge with an unfortunately proprietary cable that comes with the kit.

If you’re worried about latency… don’t be. On these old consoles, control latency is already like an order of magnitude higher than a complete wireless packet round trip, so you shouldn’t notice any lag.

You will, however, need to pick up a Bluetooth adapter if you want to use this on your original console — but if you want to use the controller with a wireless-equipped setup like your computer, it should work flawlessly.

If you buy it and don’t like it, you can just slot the original PCB back into its spot and no harm is done!

There are conversion kits for the NES and SNES, the new Classic Editions of both, and the Sega Mega Drive. At $20 each it’s hardly a big investment, and the reversible nature of the mod makes it low risk. And hey, you might learn something about that controller of yours. Or find a desiccated spider inside.

Powered by WPeMatico

An Overwatch hacker in South Korea just got sentenced to a year in prison

A 28-year-old man in South Korea faces a year in prison for hacking Overwatch . The sentence, reported by South Korea’s SBS News and Dot Esports, handed the hacker one year in prison and two years of probation for illicit activity related to the hit online multiplayer game. The particularly steep sentence is a result of both the ongoing nature of the activity and the fact that the individual generated 200 million Korean won (almost $180,000 USD) from Overwatch-related hacks.

The hacker’s charges stem from the violation of two Korean laws: the Game Industry Promotion Act and the Information and Communication Technology Protection Law. In the last year, Overwatch developer Blizzard Entertainment has worked with the Seoul National Police Agency’s cybersecurity department to crack down on hacks that compromise the integrity of the high-profile game, particularly due to its prominence in the esports world.

“Cheating on the Asian Overwatch server is endemic and widespread,” Kotaku reported in a story on Overwatch hacking last year. “On the Battle.net forums and Reddit, complaints about hacking South Korean players’ too-accurate headshots, immediate gun-downs and even DDOS attacks against winners in competitive mode are widespread.”

Hacks for a game like Overwatch can take many forms, including scripts that enable perfect aim, match-fixing and a rank manipulation practice known as boosting.

“Doing anything to manipulate your internal MMR or Skill Rating (i.e. Boosting or Throwing) is not fine,” Overwatch Creative Director Jeff Kaplan wrote in a forum post last year. “Penalties for boosting and throwing are about to increase dramatically.”

The new sentence isn’t the first to be handed down by the Korean government for game-related hacking, but given the fact that sentencing usually results in large fines, it is notably harsh. Laws meant to deter gaming hacks went into effect in the country last year and stipulate that violators may face up to $43,000 in fines and up to five years in prison.

Powered by WPeMatico

CommerceDNA wins the TechCrunch Hackathon at VivaTech

It’s been a long night at VivaTech. The building hosted a very special competition — the very first TechCrunch Hackathon in Paris.

Hundreds of engineers and designers got together to come up with something cool, something neat, something awesome. The only condition was that they only had 24 hours to work on their projects. Some of them were participating in our event for the first time, while others were regulars. Some of them slept on the floor in a corner, while others drank too much Red Bull.

We could all feel the excitement in the air when the 64 teams took the stage to present a one-minute demo to impress fellow coders and our judges. But only one team could take home the grand prize and €5,000. So, without further ado, meet the TechCrunch Hackathon winner.

Winner: CommerceDNA

Runner-Up #1: AID

Runner-Up #2: EV Range Meter


Judges

Nicolas Bacca, CTO, Ledger
Nicolas worked on card systems for 5 years at Oberthur, a leader in embedded digital security, ultimately as R&D Solution Architect. He left Oberthur to launch his company, Ubinity, which was developing smartcard operating systems.

He finally co-founded BT Chip to develop an open standard, secure element based hardware wallet which eventually became the first version of the Ledger wallet.

Charles Gorintin, co-founder & CTO, Alan
Charles Gorintin is a French data science and engineering leader. He is a cofounder and CTO of Alan. Alan’s mission is to make it easy for people to be in great health.

Prior to co-founding Alan, Charles Gorintin was a data science leader at fast-growing social networks, Facebook, Instagram, and Twitter, where he worked on anti-fraud, growth, and social psychology.

Gorintin holds a Master’s degree in Mathematics and Computer Science from Ecole des Ponts ParisTech, a Master’s degree in Machine Learning from ENS Paris-Saclay, and a Masters of Financial Engineering from UC Berkeley – Haas School of Business.

Samantha Jérusalmy, Partner, Elaia Partners
Samantha joined Elaia Partners in 2008. She began her career as a consultant at Eurogroup, a consulting firm specialized in organisation and strategy, within the Bank and Finance division. She then joined Clipperton Finance, a corporate finance firm dedicated to high-tech growth companies, before moving to Elaia Partners in 2008. She became an Investment Manager in 2011 then a Partner in 2014.

Laure Némée, CTO, Leetchi
Laure has spent her career in software development in various startups since 2000 after an engineer’s degree in computer science. She joined Leetchi at the very beginning in 2010 and has been Leetchi Group CTO since. She now works mainly on MANGOPAY, the payment service for sharing economy sites that was created by Leetchi.

Benjamin Netter, CTO, Lendix
Benjamin is the CTO of Lendix, the leading SME lending platform in continental Europe. Learning to code at 8, he has been since then experimenting ways to rethink fashion, travel or finance using technology. In 2009, in parallel with his studies at EPITECH, he created one of the first French applications on Facebook (Questions entre amis), which was used by more than half a million users. In 2011, he won the Foursquare Global Hackathon by reinventing the travel guide with Tripovore. In 2014, he launched Somewhere, an Instagram travel experiment acclaimed by the press. He is today reinventing with Lendix the way European companies get faster and simpler financing.


And finally here were our hackmasters that guided our hackers to success:

Emily Atkinson, Software Engineer / MD, DevelopHer UK
Emily is a Software Engineer at Condé Nast Britain, and co-founder & Managing Director of women in tech network DevelopHer UK. Her technical role involves back-end services, infrastructure ops and tooling, site reliability and back-end product. Entering tech as an MSc Computer Science grad, she spent six years at online print startup MOO – working across the platform, including mobile web and product. As an advocate for diversity and inclusion in STEM & digital in 2016 Atkinson launched DevelopHer, a volunteer-run non-profit community aimed at increasing diversity in tech by empowering members to develop their career and skills through events, workshops, networking and mentoring.

Romain Dillet, Senior Writer, TechCrunch
Romain attended EMLYON Business School, a leading French business school specialized in entrepreneurship. He covers many things from mobile apps with great design to fashion, Apple, AI and complex tech achievements. He also speaks at major tech conferences. He likes pop culture more than anything in the world.

Powered by WPeMatico

Meet the speakers at The Europas, and get your ticket free (July 3, London)

Excited to announce that this year’s The Europas Unconference & Awards is shaping up! Our half day Unconference kicks off on 3 July, 2018 at The Brewery in the heart of London’s “Tech City” area, followed by our startup awards dinner and fantastic party and celebration of European startups!

The event is run in partnership with TechCrunch, the official media partner. Attendees, nominees and winners will get deep discounts to TechCrunch Disrupt in Berlin, later this year.
The Europas Awards are based on voting by expert judges and the industry itself. But key to the daytime is all the speakers and invited guests. There’s no “off-limits speaker room” at The Europas, so attendees can mingle easily with VIPs and speakers.

What exactly is an Unconference? We’re dispensing with the lectures and going straight to the deep-dives, where you’ll get a front row seat with Europe’s leading investors, founders and thought leaders to discuss and debate the most urgent issues, challenges and opportunities. Up close and personal! And, crucially, a few feet away from handing over a business card. The Unconference is focused into zones including AI, Fintech, Mobility, Startups, Society, and Enterprise and Crypto / Blockchain.

We’ve confirmed 10 new speakers including:


Eileen Burbidge, Passion Capital


Carlos Eduardo Espinal, Seedcamp


Richard Muirhead, Fabric Ventures


Sitar Teli, Connect Ventures


Nancy Fechnay, Blockchain Technologist + Angel


George McDonaugh, KR1


Candice Lo, Blossom Capital


Scott Sage, Crane Venture Partners


Andrei Brasoveanu, Accel


Tina Baker, Jag Shaw Baker

How To Get Your Ticket For FREE

We’d love for you to ask your friends to join us at The Europas – and we’ve got a special way to thank you for sharing.

Your friend will enjoy a 15% discount off the price of their ticket with your code, and you’ll get 15% off the price of YOUR ticket.

That’s right, we will refund you 15% off the cost of your ticket automatically when your friend purchases a Europas ticket.

So you can grab tickets here.

Vote for your Favourite Startups

Public Voting is still humming along. Please remember to vote for your favourite startups!

Awards by category:

Hottest Media/Entertainment Startup

Hottest E-commerce/Retail Startup

Hottest Education Startup

Hottest Startup Accelerator

Hottest Marketing/AdTech Startup

Hottest Games Startup

Hottest Mobile Startup

Hottest FinTech Startup

Hottest Enterprise, SaaS or B2B Startup

Hottest Hardware Startup

Hottest Platform Economy / Marketplace

Hottest Health Startup

Hottest Cyber Security Startup

Hottest Travel Startup

Hottest Internet of Things Startup

Hottest Technology Innovation

Hottest FashionTech Startup

Hottest Tech For Good

Hottest A.I. Startup

Fastest Rising Startup Of The Year

Hottest GreenTech Startup of The Year

Hottest Startup Founders

Hottest CEO of the Year

Best Angel/Seed Investor of the Year

Hottest VC Investor of the Year

Hottest Blockchain/Crypto Startup Founder(s)

Hottest Blockchain Protocol Project

Hottest Blockchain DApp

Hottest Corporate Blockchain Project

Hottest Blockchain Investor

Hottest Blockchain ICO (Europe)

Hottest Financial Crypto Project

Hottest Blockchain for Good Project

Hottest Blockchain Identity Project

Hall Of Fame Award – Awarded to a long-term player in Europe

The Europas Grand Prix Award (to be decided from winners)

The Awards celebrates the most forward thinking and innovative tech & blockchain startups across over some 30+ categories.

Startups can apply for an award or be nominated by anyone, including our judges. It is free to enter or be nominated.

What is The Europas?

Instead of thousands and thousands of people, think of a great summer event with 1,000 of the most interesting and useful people in the industry, including key investors and leading entrepreneurs.

• No secret VIP rooms, which means you get to interact with the Speakers

• Key Founders and investors speaking; featured attendees invited to just network

• Expert speeches, discussions, and Q&A directly from the main stage

• Intimate “breakout” sessions with key players on vertical topics

• The opportunity to meet almost everyone in those small groups, super-charging your networking

• Journalists from major tech titles, newspapers and business broadcasters

• A parallel Founders-only track geared towards fund-raising and hyper-networking

• A stunning awards dinner and party which honors both the hottest startups and the leading lights in the European startup scene

• All on one day to maximise your time in London. And it’s PROBABLY sunny!

europas8

That’s just the beginning. There’s more to come…

europas13

Interested in sponsoring the Europas or hosting a table at the awards? Or purchasing a table for 10 or 12 guest or a half table for 5 guests? Get in touch with:
Petra Johansson
Petra@theeuropas.com
Phone: +44 (0) 20 3239 9325

Powered by WPeMatico

LocationSmart didn’t just sell mobile phone locations, it leaked them

What’s worse than companies selling the real-time locations of cell phones wholesale? Failing to take security precautions that prevent people from abusing the service. LocationSmart did both, as numerous sources indicated this week.

The company is adjacent to a hack of Securus, a company in the lucrative business of prison inmate communication; LocationSmart was the partner that allowed the former to provide mobile device locations in real time to law enforcement and others. There are perfectly good reasons and methods for establishing customer location, but this isn’t one of them.

Police and FBI and the like are supposed to go directly to carriers for this kind of information. But paperwork is such a hassle! If carriers let LocationSmart, a separate company, access that data, and LocationSmart sells it to someone else (Securus), and that someone else sells it to law enforcement, much less paperwork required! That’s what Securus told Senator Ron Wyden (D-OR) it was doing: acting as a middle man between the government and carriers, with help from LocationSmart.

LocationSmart’s service appears to locate phones by which towers they have recently connected to, giving a location within seconds to as close as within a few hundred feet. To prove the service worked, the company (until recently) provided a free trial of its service where a prospective customer could put in a phone number and, once that number replied yes to a consent text, the location would be returned.

It worked quite well, but is now offline. Because in its excitement to demonstrate the ability to locate a given phone, the company appeared to forget to secure the API by which it did so, Brian Krebs reports.

Krebs heard from CMU security researcher Robert Xiao, who had found that LocationSmart “failed to perform basic checks to prevent anonymous and unauthorized queries.” And not through some hardcore hackery — just by poking around.

“I stumbled upon this almost by accident, and it wasn’t terribly hard to do. This is something anyone could discover with minimal effort,” he told Krebs. Xiao posted the technical details here.

They verified the back door to the API worked by testing it with some known parties, and when they informed LocationSmart, the company’s CEO said they would investigate.

This is enough of an issue on its own. But it also calls into question what the wireless companies say about their own policies of location sharing. When Krebs contacted the four major U.S. carriers, they all said they all require customer consent or law enforcement requests.

Yet using LocationSmart’s tool, phones could be located without user consent on all four of those carriers. Both of these things can’t be true. Of course, one was just demonstrated and documented, while the other is an assurance from an industry infamous for deception and bad privacy policy.

There are three options that I can think of:

  • LocationSmart has a way of finding location via towers that does not require authorization from the carriers in question. This seems unlikely for technical and business reasons; the company also listed the carriers and other companies on its front page as partners, though their logos have since been removed.
  • LocationSmart has a sort of skeleton key to carrier info; their requests might be assumed to be legit because they have law enforcement clients or the like. This is more likely, but also contradicts the carriers’ requirement that they require consent or some kind of law enforcement justification.
  • Carriers don’t actually check on a case by case basis whether a request has consent; they may foist that duty off on the ones doing the requests, like LocationSmart (which does ask for consent in the official demo). But if carriers don’t ask for consent and third parties don’t either, and neither keeps the other accountable, the requirement for consent may as well not exist.

None of these is particularly heartening. But no one expected anything good to come out of a poorly secured API that let anyone request the approximate location of anyone’s phone. I’ve asked LocationSmart for comment on how the issue was possible (and also Krebs for a bit of extra data that might shed light on this).

It’s worth mentioning that LocationSmart is not the only business that does this, just the one implicated today in this security failure and in the shady practices of Securus.

Powered by WPeMatico

Unstoppable exploit in Nintendo Switch opens door to homebrew and piracy

The Nintendo Switch may soon be a haven for hackers, but not the kind that want your data — the kind that want to run SNES emulators and Linux on their handheld gaming consoles. A flaw in an Nvidia chip used by the Switch, detailed today, lets power users inject code into the system and modify it however they choose.

The exploit, known as Fusée Gelée, was first hinted at by developer Kate Temkin a few months ago. She and others at ReSwitched worked to prove and document the exploit, sending it to Nvidia and Nintendo, among others.

Although responsible disclosure is to be applauded, it won’t make much difference here: this flaw isn’t the kind that can be fixed with a patch. Millions of Switches are vulnerable, permanently, to what amounts to a total jailbreak; only new ones with code tweaked at the factory will be immune.

That’s because the flaw is baked into the read-only memory of the Nvidia Tegra X1 used in the Switch and a few other devices. It’s in the “Boot and Power Management Processor” to be specific, where a misformed packet sent during a routine USB device status check allows the connected device to send up to 64 kibibytes (65,535 bytes) of extra data that will be executed without question. You need to get into recovery mode first, but that’s easy.

As you can imagine, getting arbitrary code to run on a device that deep in its processes is a huge, huge vulnerability. Fortunately it’s only available to someone with direct, physical access to the Switch. But that in itself makes it an extremely powerful tool for anyone who wants to modify their own console.

Modding consoles is done for many reasons, and indeed piracy is among them. But people also want to do things Nintendo won’t let them, like back up their saved games, run custom software like emulators or extend the capabilities of the OS beyond the meager features the company has provided.

Temkin and her colleagues had planned to release the vulnerability publicly on June 15 or when someone releases the vulnerability independent of them — whichever came first. It turned out to be the latter, which apparently came as a surprise to no one in the community. The X1 exploit seems to have been something of an open secret.

The exploit was released anonymously by some hacker and Temkin accordingly published the team’s documentation of it on GitHub. If that’s too technical, there’s also some more plain-language chatter about the flaw in a FAQ posted earlier this month. I’ve asked Temkin for a few more details.

In addition to Temkin, failOverflow announced a small device that will short a pin in the USB connector and put the device into recovery mode, prepping it for exploitation. And Team-Xecuter was advertising a similar hardware attack months ago.

The answer to the most obvious question is no, you can’t just fire this up and start playing Wave Race 64 (or a pirated Zelda) on your Switch 15 minutes from now. The exploit still requires technical ability to implement, though as with many other hacks of this type, someone will likely graft it to a nice GUI that guides ordinary users through the process. (It certainly happened with the NES and SNES Classic Editions.)

Although the exploit can’t be patched away with a software update, Nintendo isn’t powerless. It’s likely that a modified Switch would be barred from the company’s online services (such as they are) and possibly the user’s account, as well. So although the hacking process is, compared with the soldering required for modchips of decades past, low on risk, it isn’t a golden ticket.

That said, Fusée Gelée will almost certainly open the floodgates for developers and hackers who care little for Nintendo’s official ecosystem and would rather see what they can get this great piece of hardware to do on their own.

I’ve asked Nintendo and Nvidia for comment and will update when I hear back.

Powered by WPeMatico

Russia’s game of Telegram whack-a-mole grows to 19M blocked IPs, hitting Twitch, Spotify and more

As the messaging app Telegram continues to try to evade Russian authorities by switching up its IP addresses, Russia’s regulator Roskomnadzor (RKN) has continued its game of whack-a-mole to try to lock it down by knocking out complete swathes of IP address. The resulting chase how now ballooned to nearly 19 million IP addresses at the time of writing, as tracked by unofficial RKN observer RKNSHOWTIME (updated on a Telegram channel with stats accessible on the web via Phil Kulin’s site).

As a result, there have been a number of high-profile services also knocked oput in the crossfire, with people in Russia reporting dozens of sites affected including Twitch, Slack, Soundcloud, Viber, Spotify, Fifa, Nintendo, as well as Amazon and Google. (A full list of nearly forty addresses is listed below.)

What’s notable is that Google and Amazon themselves seem still not to be buckling under pressure. As we reported earlier this week, a similar — but far smaller — instance happened in the case of Zello, which had also devised a technique to hop around IP addresses when its own IP addresses were shut down by Russian regulators.

Zello’s circumventing lasted for nearly a year, until it seemed the regulator started to use a more blanket approach of blocking entire subnets — a move that ultimately led to Google and Amazon asking Zello to cease its activities.

After that, Zello’s main access point for its Russian users was via VPN proxies — one of the key ways that users in one country can effectively appear as if they are in another, allowing them to circumvent geoblocking and geofencing, either by the companies themselves, or those that have been banned by a state.

It’s important to note that the domain fronting that Google is in the process of shutting down is not the same as IP hopping — although, more generally, it will mean that there is now one less route for those globally whose traffic is getting blocked through censorship to wiggle around that. The IP hopping that has led to 19 million addresses getting blocked in Russia is another kind of circumvention. (I’m pointing this out because several people I’ve spoken to assumed they were the same.)

Pavel Durov, Telegram’s founder and CEO, has made several public calls on Telegram and also third-party sites like Twitter to praise how steadfast the big internet companies have been. And others like the ACLU have also waded into the story to call on Amazon, Apple, Google and Microsoft to hold strong and continue to allow Telegram to IP hop.

But what could happen next?

I’ve contacted Google, Amazon and Telegram now several times to ask this question and for more details on what is going on. As of yet I’ve had no replies. However, Alexey Gavrilov, the CTO and founder of Zello, provided a little more potential insight:

He said that ultimately they might ask Telegram to stop — something that might become increasingly hard not to do as more services get affected — and if that doesn’t work they can suspend Telegram’s account.

“Each cloud provider has provisions, which let them do it if your use interferes with other customers using their service,” Gavrilov notes. “The interpretation of this rule may be not trivial in case when the harm is caused by third party (i.e RKN in this case) so I think there are some legal risks for Amazon / Google. Plus that would likely cause a PR issue for them.”

Another question is whether there are bigger fish to fry in this story. Some have floated the idea that just as Zello preceded Telegram, RKN’s battles with the latter might lead to how it negotiates with Facebook.

As we have reported before, Facebook notably has never moved to house Russian Facebook data in Russia. Local hosting has been one of the key requirements that the regulator has enforced against a number of other companies as part of its “data protection” rules, and over the last couple of years while some high-profile companies have run afoul of the these regulations, others (including Apple and Google) have reportedly complied.

Regardless, there’s been one ironic silver lining in this story. Since RKN shifted its focus to waging a war on Telegram, Gavrilov tells me that Zello service has been restored in Russia. Here’s to weathering the storm. 

Bill Moore, Zello’s CEO, believes that there is a fight to keep fighting here. “We are small,” he said. “Technology leaders like Amazon, Google, Apple and Facebook can cooperate with each other to avoid becoming a tool governments use to control speech.  We hope Amazon and Google stay firm even if the short term cost is real.”

We’ll update this post as and when we get responses from the big players. A more complete list of sites that people have reported as affected by the 19 million address block is below, via Telegram channel Нецифровая экономика (“Non-digital economy”). Some of these have been disputed, so take this with a grain of salt:

1. Sberbank (disputed)
2. Alfa Bank (disputed)
3. VTB
4. Mastercard
5. Some Microsoft services
6. Video agency RT Ruptly
7. Games like Fortnite, PUBG, Guild Wars 2, Vainglory, Guns of Boom, World of Warships Blitz, Lineage 2 Mobile and Total War: Arena
8. Twitch
9. Google
10. Amazon
11. Russian food retailer Dixy (disupted)
12. Odnoklassniki (the social network, ok,ru)
13. Viber
14. Дилеры Volvo
15. Gett Taxi
16. BattleNet
17. SoundCloud
18. DevianArt
19. Coursera
20. Realtimeboard
21. Trello
22. Slack
23. Evernote
24. Skyeng (online English language school)
25. Part of the Playstation Network
26. Ivideon
27. ResearchGate
28. Gitter
29. eLama
30. Behance
31. Nintendo
32. Codeacademy
33. Lifehacker
34. Spotify
35. FIFA
36. And it seems like some of RKN’s site itself

Powered by WPeMatico

Security flaw in Grindr exposed locations to third-party service

Users of Grindr, the popular dating app for gay men, may have been broadcasting their location despite having disabled that particular feature. Two security flaws allowed for discovery of location data against a user’s will, though they take a bit of doing.

The first of the flaws, which were discovered by Trever Faden and reported first by NBC News, allowed users to see a variety of data not available normally: who had blocked them, deleted photos, locations of people who had chosen not to share that data and more.

The catch is that if you wanted to find out about this, you had to hand over your username and password to Faden’s purpose-built website, C*ckblocked (asterisk original), which would then scour your Grindr account for this hidden metadata.

Of course it’s a bad idea to surrender your credentials to any third party whatsoever, but regardless of that, this particular third party was able to find data that a user should not have access to in the first place.

The second flaw involved location data being sent unencrypted, meaning a traffic snooper might be able to detect it. (In its comment, Grindr says it encrypts and obfuscates location data, but has not specifically denied the existence of this issue.)

It may not sound too serious to have someone watching a Wi-Fi network know a person’s location — they’re there on the network, obviously, which narrows it down considerably. But users of a gay dating app are members of a minority often targeted by bigots and governments, and having their phone essentially send out a public signal saying “I’m here and I’m gay” without their knowledge is a serious problem.

I’ve asked Grindr for comment and confirmation; the company told NBC News that it had changed how data was handled in order to prevent the C*ckblocked exploit (the site has since been shut down), but did not address the second issue.

Update: Grindr has offered a statement on these issues, which I quote in part below (emphasis theirs):

Anytime a user discloses their login credentials to an unknown third-party, they run the risk of exposing their own profile information, location information, and related metadata. We cannot emphasize this enough: we strongly recommend against our users sharing their personal login information with these websites as they risk exposing information that they have opted out of sharing.

Grindr is a location-based app. Location is a critical element of our social network platform. This allows our users to feel connected to our community in a world that would seek to isolate us. That said, all information transmitted between a user’s device and our servers is encrypted and communicated in a way that does not reveal your specific location to unknown third parties.

Furthermore, the statement points out, “In territories where homosexuality is criminalized, or it is otherwise unsafe to be LGBTQ identified, we deliberately obfuscate the location-based features of our application to protect our users.”

I’ve asked for any further information on the possibility that location data was, as reported, sent unencrypted. I’ll update if I hear back.

Powered by WPeMatico

OnePlus confirms up to 40,000 customers were impacted by credit card hack

 If you gave your credit card number to OnePlus sometime between mid-November and last week, your card may have been compromised. The smartphone maker confirmed this morning through its online forum that upwards of 40,000 customers may have had their numbers exposed to hackers. “Only a small subset of our customers is affected,” a spokesperson for the company told… Read More

Powered by WPeMatico

UK’s Carphone Warehouse fined nearly $540k for 2015 hack

 The UK’s data watchdog has handed mobile phone retailer Carphone Warehouse a £400,000 fine — just shy of the £500k maximum the regulator can currently issue — for security failings attached to a 2015 hack that compromised the personal data of some three million customers and 1,000 employees.  Read More

Powered by WPeMatico