Pages Navigation Menu

The blog of DataDiggers

Categories Navigation Menu

Foxconn halts some production lines for Huawei phones, according to reports

Posted by on Jun 1, 2019 in android, Apple, Companies, Donald Trump, Foxconn, Google, Huawei, mobile phones, operating system, president, shenzhen, smart phone, smartphone, Smartphones, TC, telecommunications, United States, Xiaomi | 0 comments

Huawei, the Chinese technology giant whose devices are at the center of a far-reaching trade dispute between the U.S. and Chinese governments, is reducing orders for new phones, according to a report in The South China Morning Post.

According to unnamed sources, the Taiwanese technology manufacturer Foxconn has halted production lines for several Huawei phones after the Shenzhen-based company reduced orders. Foxconn also makes devices for most of the major smart phone vendors including Apple and Xiaomi (in addition to Huawei).

In the aftermath of President Donald Trump’s declaration of a “national emergency” to protect U.S. networks from foreign technologies, Huawei and several of its affiliates were barred from acquiring technologies from U.S. companies.

The blacklist has impacted multiple lines of Huawei’s business including it handset manufacturing capabilities given the company’s reliance on Google’s Android operating system for its smartphones.

In May, Google reportedly suspended business with Huawei, according to a Reuters report. Last year, Huawei shipped over 200 million handsets and the company had a stated goal to become the world’s largest vendor of smartphones by 2020.

These reports from The South China Morning Post are the clearest indication that the ramifications of the U.S. blacklisting are beginning to be felt across Huawei’s phone business outside of China.

Huawei was already under fire for security concerns, and will be forced to contend with more if it can no longer provide Android updates to global customers.

Contingency planning is already underway at Huawei. The company has built its own Android -based operating system, and can use the stripped down, open source version of Android that ships without Google Mobile Services. For now, its customers also still have access to Google’s app store. But if the company is forced to make developers sell their apps on a siloed Huawei-only store, it could face problems from users outside of China.

Huawei and the Chinese government are also retaliating against the U.S. efforts. The company has filed a legal motion to challenge the U.S. ban on its equipment, calling it “unconstitutional.”  And Huawei has sent home its American employees deployed at R&D functions at its Shenzhen headquarters.

It has also asked its Chinese employees to limit conversations with overseas visitors, and cease any technical meetings with their U.S. contacts.

Still, any reduction in orders would seem to indicate that the U.S. efforts to stymie Huawei’s expansion (at least in its smartphone business) are having an impact.

A spokesperson for Huawei U.S. did not respond to a request for comment.


Source: The Tech Crunch

Read More

Flawed visitor check-in systems let anyone steal guest logs and sneak into buildings

Posted by on Mar 4, 2019 in computer security, Envoy, hacking, IBM, ipad, operating system, Privacy, Security, software testing, vulnerability | 0 comments

Security researchers at IBM have found, reported and disclosed 19 vulnerabilities in five popular visitor management systems, which they say can be used to steal data on visitors — or even sneak into sensitive and off-limit areas of office buildings.

You’ve probably seen one of these visitor check-in systems before: they’re often found in lobbies or reception areas of office buildings to check staff and visitors onto the work floor. Visitors check in with their name and who they’re meeting using the touch-screen display or tablet, and a name badge is either printed or issued.

But the IBM researchers say flaws in these systems provided “a false sense of security.”

The researchers examined five of the most popular systems: Lobby Track Desktop, built by Jolly Technologies, had seven vulnerabilities; eVisitorPass, recently rebranded as Threshold Security, had five vulnerabilities; EasyLobby Solo, built by HID Global, had four vulnerabilities; Envoy’s flagship Passport system had two vulnerabilities; and The Receptionist, an iPad app, had one vulnerability.

According to IBM, the vulnerabilities could only be exploited by someone physically at check-in. The bugs ranged from allowing someone to download visitor logs, such as names, driver license and Social Security data, and phone numbers; or in some cases, the buggy software could be exploited to escape “kiosk” mode, allowing access to the underlying operating system, which the researchers say could be used to pivot to other applications and on the network, if connected.

Worse of all, the use of default admin credentials that would give “allow complete control of the application,” such as the ability to edit the visitor database. Some systems “can even issue and provision RFID badges, giving an attacker a key to open doors,” the researchers wrote.

Daniel Crowley, research director at IBM X-Force Red, the company’s pen-testing and vulnerability hunting team, told TechCrunch that all of the companies responded to the team’s findings.

“Some responded much more quickly than others,” said Crowley. “The Lobby Track vulnerabilities were acknowledged by Jolly Technologies, but they stated that the issues can be addressed through configuration options. X-Force Red tested the Lobby Track software in its default configuration,” he added.

We contacted the companies and received — for the most part — dismal responses.

Kate Miller, a spokesperson for Envoy, confirmed it fixed the bugs but “customer and visitor data was never at risk.”

Andy Alsop, chief executive of The Receptionist, did not respond to a request for comment but instead automatically signed us up to a mailing list without our permission, which we swiftly unsubscribed from. When reached, Michael Ashford, director of marketing, did not comment.

David Jordan, a representative for Jolly, declined to comment. And, neither Threshold Security and HID Global responded to our requests for comment.


Source: The Tech Crunch

Read More

How open source software took over the world

Posted by on Jan 12, 2019 in apache, author, cloud computing, Cloudera, cockroach labs, Column, computing, Databricks, designer, executive, free software, Getty, GitHub, HashiCorp, hortonworks, IBM, linus torvalds, linux, Microsoft, microsoft windows, mongo, MongoDB, mulesoft, mysql, open source software, operating system, operating systems, oracle, red hat, RedHat, sap, Software, software as a service, TC, Yahoo | 0 comments

It was just 5 years ago that there was an ample dose of skepticism from investors about the viability of open source as a business model. The common thesis was that Redhat was a snowflake and that no other open source company would be significant in the software universe.

Fast forward to today and we’ve witnessed the growing excitement in the space: Redhat is being acquired by IBM for $32 billion (3x times its market cap from 2014); Mulesoft was acquired after going public for $6.5 billion; MongoDB is now worth north of $4 billion; Elastic’s IPO now values the company at $6 billion; and, through the merger of Cloudera and Hortonworks, a new company with a market cap north of $4 billion will emerge. In addition, there’s a growing cohort of impressive OSS companies working their way through the growth stages of their evolution: Confluent, HashiCorp, DataBricks, Kong, Cockroach Labs and many others. Given the relative multiples that Wall Street and private investors are assigning to these open source companies, it seems pretty clear that something special is happening.

So, why did this movement that once represented the bleeding edge of software become the hot place to be? There are a number of fundamental changes that have advanced open source businesses and their prospects in the market.

David Paul Morris/Bloomberg via Getty Images

From Open Source to Open Core to SaaS

The original open source projects were not really businesses, they were revolutions against the unfair profits that closed-source software companies were reaping. Microsoft, Oracle, SAP and others were extracting monopoly-like “rents” for software, which the top developers of the time didn’t believe was world class. So, beginning with the most broadly used components of software – operating systems and databases – progressive developers collaborated, often asynchronously, to author great pieces of software. Everyone could not only see the software in the open, but through a loosely-knit governance model, they added, improved and enhanced it.

The software was originally created by and for developers, which meant that at first it wasn’t the most user-friendly. But it was performant, robust and flexible. These merits gradually percolated across the software world and, over a decade, Linux became the second most popular OS for servers (next to Windows); MySQL mirrored that feat by eating away at Oracle’s dominance.

The first entrepreneurial ventures attempted to capitalize on this adoption by offering “enterprise-grade” support subscriptions for these software distributions. Redhat emerged the winner in the Linux race and MySQL (thecompany) for databases. These businesses had some obvious limitations – it was harder to monetize software with just support services, but the market size for OS’s and databases was so large that, in spite of more challenged business models, sizeable companies could be built.

The successful adoption of Linux and MySQL laid the foundation for the second generation of Open Source companies – the poster children of this generation were Cloudera and Hortonworks. These open source projects and businesses were fundamentally different from the first generation on two dimensions. First, the software was principally developed within an existing company and not by a broad, unaffiliated community (in the case of Hadoop, the software took shape within Yahoo!) . Second, these businesses were based on the model that only parts of software in the project were licensed for free, so they could charge customers for use of some of the software under a commercial license. The commercial aspects were specifically built for enterprise production use and thus easier to monetize. These companies, therefore, had the ability to capture more revenue even if the market for their product didn’t have quite as much appeal as operating systems and databases.

However, there were downsides to this second generation model of open source business. The first was that no company singularly held ‘moral authority’ over the software – and therefore the contenders competed for profits by offering increasing parts of their software for free. Second, these companies often balkanized the evolution of the software in an attempt to differentiate themselves. To make matters more difficult, these businesses were not built with a cloud service in mind. Therefore, cloud providers were able to use the open source software to create SaaS businesses of the same software base. Amazon’s EMR is a great example of this.

The latest evolution came when entrepreneurial developers grasped the business model challenges existent in the first two generations – Gen 1 and Gen 2 – of open source companies, and evolved the projects with two important elements. The first is that the open source software is now developed largely within the confines of businesses. Often, more than 90% of the lines of code in these projects are written by the employees of the company that commercialized the software. Second, these businesses offer their own software as a cloud service from very early on. In a sense, these are Open Core / Cloud service hybrid businesses with multiple pathways to monetize their product. By offering the products as SaaS, these businesses can interweave open source software with commercial software so customers no longer have to worry about which license they should be taking. Companies like Elastic, Mongo, and Confluent with services like Elastic Cloud, Confluent Cloud, and MongoDB Atlas are examples of this Gen 3.  The implications of this evolution are that open source software companies now have the opportunity to become the dominant business model for software infrastructure.

The Role of the Community

While the products of these Gen 3 companies are definitely more tightly controlled by the host companies, the open source community still plays a pivotal role in the creation and development of the open source projects. For one, the community still discovers the most innovative and relevant projects. They star the projects on Github, download the software in order to try it, and evangelize what they perceive to be the better project so that others can benefit from great software. Much like how a good blog post or a tweet spreads virally, great open source software leverages network effects. It is the community that is the source of promotion for that virality.

The community also ends up effectively being the “product manager” for these projects. It asks for enhancements and improvements; it points out the shortcomings of the software. The feature requests are not in a product requirements document, but on Github, comments threads and Hacker News. And, if an open source project diligently responds to the community, it will shape itself to the features and capabilities that developers want.

The community also acts as the QA department for open source software. It will identify bugs and shortcomings in the software; test 0.x versions diligently; and give the companies feedback on what is working or what is not.  The community will also reward great software with positive feedback, which will encourage broader use.

What has changed though, is that the community is not as involved as it used to be in the actual coding of the software projects. While that is a drawback relative to Gen 1 and Gen 2 companies, it is also one of the inevitable realities of the evolving business model.

Linus Torvalds was the designer of the open-source operating system Linux.

Rise of the Developer

It is also important to realize the increasing importance of the developer for these open source projects. The traditional go-to-market model of closed source software targeted IT as the purchasing center of software. While IT still plays a role, the real customers of open source are the developers who often discover the software, and then download and integrate it into the prototype versions of the projects that they are working on. Once “infected”by open source software, these projects work their way through the development cycles of organizations from design, to prototyping, to development, to integration and testing, to staging, and finally to production. By the time the open source software gets to production it is rarely, if ever, displaced. Fundamentally, the software is never “sold”; it is adopted by the developers who appreciate the software more because they can see it and use it themselves rather than being subject to it based on executive decisions.

In other words, open source software permeates itself through the true experts, and makes the selection process much more grassroots than it has ever been historically. The developers basically vote with their feet. This is in stark contrast to how software has traditionally been sold.

Virtues of the Open Source Business Model

The resulting business model of an open source company looks quite different than a traditional software business. First of all, the revenue line is different. Side-by-side, a closed source software company will generally be able to charge more per unit than an open source company. Even today, customers do have some level of resistance to paying a high price per unit for software that is theoretically “free.” But, even though open source software is lower cost per unit, it makes up the total market size by leveraging the elasticity in the market. When something is cheaper, more people buy it. That’s why open source companies have such massive and rapid adoption when they achieve product-market fit.

Another great advantage of open source companies is their far more efficient and viral go-to-market motion. The first and most obvious benefit is that a user is already a “customer” before she even pays for it. Because so much of the initial adoption of open source software comes from developers organically downloading and using the software, the companies themselves can often bypass both the marketing pitch and the proof-of-concept stage of the sales cycle. The sales pitch is more along the lines of, “you already use 500 instances of our software in your environment, wouldn’t you like to upgrade to the enterprise edition and get these additional features?”  This translates to much shorter sales cycles, the need for far fewer sales engineers per account executive, and much quicker payback periods of the cost of selling. In fact, in an ideal situation, open source companies can operate with favorable Account Executives to Systems Engineer ratios and can go from sales qualified lead (SQL) to closed sales within one quarter.

This virality allows for open source software businesses to be far more efficient than traditional software businesses from a cash consumption basis. Some of the best open source companies have been able to grow their business at triple-digit growth rates well into their life while  maintaining moderate of burn rates of cash. This is hard to imagine in a traditional software company. Needless to say, less cash consumption equals less dilution for the founders.

Photo courtesy of Getty Images

Open Source to Freemium

One last aspect of the changing open source business that is worth elaborating on is the gradual movement from true open source to community-assisted freemium. As mentioned above, the early open source projects leveraged the community as key contributors to the software base. In addition, even for slight elements of commercially-licensed software, there was significant pushback from the community. These days the community and the customer base are much more knowledgeable about the open source business model, and there is an appreciation for the fact that open source companies deserve to have a “paywall” so that they can continue to build and innovate.

In fact, from a customer perspective the two value propositions of open source software are that you a) read the code; b) treat it as freemium. The notion of freemium is that you can basically use it for free until it’s deployed in production or in some degree of scale. Companies like Elastic and Cockroach Labs have gone as far as actually open sourcing all their software but applying a commercial license to parts of the software base. The rationale being that real enterprise customers would pay whether the software is open or closed, and they are more incentivized to use commercial software if they can actually read the code. Indeed, there is a risk that someone could read the code, modify it slightly, and fork the distribution. But in developed economies – where much of the rents exist anyway, it’s unlikely that enterprise companies will elect the copycat as a supplier.

A key enabler to this movement has been the more modern software licenses that companies have either originally embraced or migrated to over time. Mongo’s new license, as well as those of Elastic and Cockroach are good examples of these. Unlike the Apache incubated license – which was often the starting point for open source projects a decade ago, these licenses are far more business-friendly and most model open source businesses are adopting them.

The Future

When we originally penned this article on open source four years ago, we aspirationally hoped that we would see the birth of iconic open source companies. At a time where there was only one model – Redhat – we believed that there would be many more. Today, we see a healthy cohort of open source businesses, which is quite exciting. I believe we are just scratching the surface of the kind of iconic companies that we will see emerge from the open source gene pool. From one perspective, these companies valued in the billions are a testament to the power of the model. What is clear is that open source is no longer a fringe approach to software. When top companies around the world are polled, few of them intend to have their core software systems be anything but open source. And if the Fortune 5000 migrate their spend on closed source software to open source, we will see the emergence of a whole new landscape of software companies, with the leaders of this new cohort valued in the tens of billions of dollars.

Clearly, that day is not tomorrow. These open source companies will need to grow and mature and develop their products and organization in the coming decade. But the trend is undeniable and here at Index we’re honored to have been here for the early days of this journey.


Source: The Tech Crunch

Read More

Xiaomi’s five-year plan is a $1.5 billion bet on smart homes

Posted by on Jan 11, 2019 in Asia, China, funding, Hardware, Huawei, ikea, Lei Jun, operating system, Redmi, smart devices, smartphone, Smartphones, voice assistant, Xiaomi | 0 comments

Xiaomi, the Chinese company best known for budget phones, is betting big on a future of connected homes. It plans to plough at least 100 billion yuan, or $1.48 billion, into the so-called “AIoT” sector over the next five years, founder and chief operating officer Lei Jun announced on Friday.

AIoT, short for “AI + IoT,” is an upgrade from devices connected to the internet, known as the Internet of Things. AIoTs are intelligent, run on automated systems and can learn from users’ habits, like lights that automatically turn on when you get home.

“We see a future where all home devices will be connected to the internet and controlled by voice. A wave of home appliances will be replaced by smart devices. There will be an AIoT network that infiltrates every second and scenario of people’s lives, collecting mountains of users, traffic and data,” said Lei in his annual address to employees.

The plan is to get all sorts of gadgets, not just handsets, onto Xiaomi’s operating system so the company can hawk services through these devices. The move comes as Xiaomi, the world’s fourth-largest smartphone vendor, copes with a weakening market. Smartphone shipments in China were down more than 15 percent year-over-year in 2018, according to a government-backed research institute.

Phones remain strategically important to Xiaomi as it looks to lower-end phones for growth. On Thursday, the company announced it has split up (not spin out) its budget phone brand, Redmi, in hope of launching “red rice” — what Redmi means in Chinese — to Xiaomi’s “little rice” stardom. The strategy is similar to how Huawei operates sub-brand Honor for its line of cheaper phones.

Xiaomi’s new billion-dollar pledge is a continuation of a plan in 2013 to back 100 startups over the course of five years. These portfolio companies, in turn, helped make Xiaomi products, which now count 132 million total devices (among which 20 million are active daily). Meanwhile, Xiaomi’s voice assistant Xiao Ai has hit 100 million installs.

These gadgets, along with an assortment of lifestyle products like suitcases and umbrellas, became the largest revenue driver for Xiaomi in the second quarter of last year, the company’s earnings report shows.

Xiaomi is in a land grab with other Chinese tech giants like Baidu to enter people’s homes. It’s becoming something akin to a department store, but it can’t make everything itself. Recently, the giant made a big push in TVs through a partnership with a veteran Chinese home appliance manufacturer. It’s also teamed up with IKEA on a 100 million yuan ($14.8 million) fund for third-party developers, which will enrich Xiaomi’s inventory as consumers in China may soon be able to buy many Xiaomi-powered furniture from the Swedish retailer.


Source: The Tech Crunch

Read More

AWS launches Arm-based servers for EC2

Posted by on Nov 27, 2018 in Amazon Web Services, amd, ARM, AWS, AWS re:Invent 2018, Cloud, cloud computing, Developer, linux, operating system, operating systems, TC, Ubuntu, web servers | 0 comments

At its re:Invent conference in Las Vegas, AWS today announced the launch of Arm-based servers for its EC2 cloud computing service. These aren’t run-of-the-mill Arm chips, though. AWS took the standard Arm cores and then customized them to fit its needs.The company says that its so-called AWS Graviton Processors have been optimized for performance and cost, with a focus on scale-out workloads that can be spread across a number of smaller instances (think containerized microservices, web servers, caching fleets, etc.).

The first set of instances, called A1, is now available in a number of AWS regions in the U.S. and Europe. They support all of AWS’s standard instance pricing models, including on-demand, reserved instance, spot instance, dedicated instance and dedicated host.

For now, you can only use Amazon Linux 2, RHEL and Ubuntu as operating systems for these machines, but AWS promises that additional operating system support will launch in the future.

Because these are ARM servers, you’ll obviously have to recompile any native code for them before you can run your applications on them. Virtually any application that is written in a scripting language, though, will probably run without any modifications.

Prices for these instances start at $0.0255/hour for an a1.medium machine with 1 CPU and 2 GiB of RAM and go up to $0.4080/hour for machines with 16 CPUs and 32 GiB of RAM. That’s maybe not as cheap as you would’ve expected given that an X86-based t3.nano server starts at $0.0052/hour, but you can always save quite a bit by using spot instances, of course. Until we see some benchmarks, though, it’s hard to compare these different machine types anyway.

As Amazon’s Jeff Barr notes in today’s announcement, the company’s move to its so-called Nitro System now allows it to launch new instance types at a faster clip. Nitro essentially provides the building blocks for creating new instance types that the team can then mix and match as needed.

It’s worth noting that AWS also launched support for AMD EPYC processors earlier this month.

more AWS re:Invent 2018 coverage


Source: The Tech Crunch

Read More

Google tweaks Android licensing terms in Europe to allow Google app unbundling — for a fee

Posted by on Oct 16, 2018 in android, antitrust, Apps, chrome os, competition, Europe, Google, google-chrome, Mobile, operating system, play store, Smartphones | 0 comments

Google has announced changes to the licensing model for its Android mobile operating system in Europe,  including introducing a fee for licensing some of its own brand apps, saying it’s doing so to comply with a major European antitrust ruling this summer.

In July the region’s antitrust regulators hit Google with a recordbreaking $5BN fine for violations pertaining to Android, finding the company had abused the dominance of the platform by requiring manufacturers pre-install other Google apps in order to license its popular Play app store. 

Regulators also found Google had made payments to manufacturers and mobile network operators in exchange for exclusively pre-installing Google Search on their devices, and used Play store licensing to prevent manufacturers from selling devices based on Android forks.

Google disputes the Commission’s findings, and last week filed its appeal — a legal process that could take years. But in the meanwhile it’s making changes to how it licenses Android in Europe to avoid the risk of additional penalties heaped on top of the antitrust fine.

Hiroshi Lockheimer, Google’s senior vice president of platforms & ecosystems, revealed the new licensing options in a blog post published today.

Under updated “compatibility agreements”, he writes that mobile device makers will be able to build and sell Android devices intended for the European Economic Area (EEA) both with and without Google mobile apps preloaded — something Google’s same ‘compatibility’ contracts restricted them from doing before, when it was strictly either/or (either you made Android forks, or you made Android devices with Google apps — not both).

“Going forward, Android partners wishing to distribute Google apps may also build non-compatible, or forked, smartphones and tablets for the European Economic Area (EEA),” confirms Lockheimer.

However the company is also changing how it licenses the full Android bundle — which previously required OEMs to load devices with the Google mobile application suite, Google Search and the Chrome browser in order to be able to offer the popular Play Store — by introducing fees for OEMs wanting to pre-load a subset of those same apps under “a new paid licensing agreement for smartphones and tablets shipped into the EEA”.

Though Google stresses there will be no charge for using the Android platform itself. (So a pure fork without any Google services preloaded still wouldn’t require a fee.)

Google also appears to be splitting out Google Search and Chrome from the rest of the Google apps in its mobile suite (which traditionally means stuff like YouTube, the Play Store, Gmail, Google Maps, although Lockheimer’s blog post does not make it clear which exact apps he’s talking about) — letting OEMs selectively unbundle some Google apps, albeit potentially for a fee, depending on the apps in question.

“[D]evice manufacturers will be able to license the Google mobile application suite separately from the Google Search App or the Chrome browser,” is what Lockheimer unilluminatingly writes.

Perhaps Google wants future unbundled Android forks to still be able to have Google Search or Chrome, even if they don’t have the Play store, but it’s really not at all clear which configurations of Google apps will be permitted under the new licensing terms, and which won’t.

“Since the pre-installation of Google Search and Chrome together with our other apps helped us fund the development and free distribution of Android, we will introduce a new paid licensing agreement for smartphones and tablets shipped into the EEA. Android will remain free and open source,” Lockheimer adds, without specifying what the fees will be either. 

“We’ll also offer new commercial agreements to partners for the non-exclusive pre-installation and placement of Google Search and Chrome. As before, competing apps may be pre-installed alongside ours,” he continues to complete his trio of poorly explained licensing changes.

We’ve asked Google to clarify the various permitted and not permitted app configurations, as well as which apps will require a fee (and which won’t), and how much the fees will be, and will update this post with any response.

The devil in all those details should become clear soon though, as Google says the new licensing options will come into effect on October 29 for all new (Android based) smartphones and tablets launched in the EEA.

Update: Responding to the development, a Commission spokesperson told us: “It is Google’s responsibility to comply with its obligations under the Decision. The Commission will closely monitor Google’s compliance to ensure that the remedy is effective and respects the Decision.”

It is for Google to decide exactly how to comply with the Commission’s decision. The decision does not require Google to charge for any of its apps or for the Play Store,” the spokesperson added. “In fact, the Decision is designed to allow, for the first time, competing search and browser providers to compete on the merits with Google for pre-installation on Android devices, leading to greater choice for consumers.

 

“Android remains licensed for free under an open source regime. The Decision also allows companies, for the first time, to develop and market competing operating systems based on the Android open source code (so-called “Android forks”).”


Source: The Tech Crunch

Read More

‘Unhackable’ BitFi crypto wallet has been hacked

Posted by on Aug 14, 2018 in android, computing, defcon, Gadgets, john mcafee, operating system, spoiler, Startups, tablet computer, TC | 0 comments

The BitFi crypto wallet was supposed to be unhackable and none other than famous weirdo John McAfee claimed that the device – essentially an Android-based mini tablet – would withstand any attack. Spoiler alert: it couldn’t.

First, a bit of background. The $120 device launched at the beginning of this month to much fanfare. It consisted of a device that McAfee claimed contained no software or storage and was instead a standalone wallet similar to the Trezor. The website featured a bold claim by McAfee himself, one that would give a normal security researcher pause:

Further, the company offered a bug bounty that seems to be slowly being eroded by outside forces. They asked hackers to pull coins off of a specially prepared $10 wallet, a move that is uncommon in the world of bug bounties. They wrote:

We deposit coins into a Bitfi wallet
If you wish to participate in the bounty program, you will purchase a Bitfi wallet that is preloaded with coins for just an additional $10 (the reason for the charge is because we need to ensure serious inquiries only)
If you successfully extract the coins and empty the wallet, this would be considered a successful hack
You can then keep the coins and Bitfi will make a payment to you of $250,000
Please note that we grant anyone who participates in this bounty permission to use all possible attack vectors, including our servers, nodes, and our infrastructure

Hackers began attacking the device immediately, eventually hacking it to find the passphrase used to move crypto in and out of the the wallet. In a detailed set of tweets, security researchers Andrew Tierney and Alan Woodward began finding holes by attacking the operating system itself. However, this did not match the bounty to the letter, claimed BitFi, even though they did not actually ship any bounty-ready devices.

Then, to add insult to injury, the company earned a Pwnies award at security conference Defcon. The award was given for worst vendor response. As hackers began dismantling the device, BitFi went on the defensive, consistently claiming that their device was secure. And the hackers had a field day. One hacker, 15-year-old Saleem Rashid, was able to play Doom on the device.

The hacks kept coming. McAfee, for his part, kept refusing to accept the hacks as genuine.

Unfortunately, the latest hack may have just fulfilled all of BitFi’s requirements. Rashid and Tierney have been able to pull cash out of the wallet by hacking the passphrase, a primary requirement for the bounty. “We have sent the seed and phrase from the device to another server, it just gets sent using netcat, nothing fancy.” Tierney said. “We believe all conditions have been met.”

The end state of this crypto mess? BitFi did what most hacked crypto companies do: double down on the threats. In a recently deleted Tweet they made it clear that they were not to be messed with:

The researchers, however, may still have the last laugh.


Source: The Tech Crunch

Read More