Healthcare data breach in Singapore affected 1.5M patients, targeted the prime minister

In what’s believed to be the biggest data breach in Singapore’s history, 1.5 million members of the country’s largest healthcare group have had their personal data compromised.

The breach affected SingHealth, Singapore’s biggest network of healthcare facilities. Data obtained in the breach includes names, addresses, gender, race, date of birth and patients’ national identification numbers. Around 160,000 of the 1.5 million patients also had their outpatient medical information accessed by unauthorized individuals. All patients affected by the hack had visited SingHealth clinics between May 1, 2015 and July 4, 2018, Singapore newspaper The Straits Times reports.

“Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System confirmed that this was a deliberate, targeted and well-planned cyberattack,” a press release from Singapore’s Ministry of Health stated. “It was not the work of casual hackers or criminal gangs.”

The hackers appear to have accessed the sensitive data by compromising a single SingHealth workstation with malware and were then able to obtain privileged account credentials with which they accessed the patient database. The breach was first noticed on July 4 and a police report was filed on July 12.

During a press conference, investigating authorities disclosed that Singapore Prime Minister Lee Hsien Loong was “specifically and repeatedly targeted.”

The Prime Minister elaborated on the incident on his Facebook page:

SingHealth’s database has experienced a major cyber-attack. 1.5 million patients have had their personal particulars…

Posted by Lee Hsien Loong on Friday, July 20, 2018

Surprise! Top sites still fail at encouraging non-terrible passwords

You would think that Amazon, Reddit, Wikipedia and other highly popular websites would by now tell you that “password1” or “hunter2” is a terrible password — just terrible. But they don’t. A research project that has kept tabs on the top sites and their password habits for the last 11 years shows that most provide only rudimentary password restrictions and do little to help users.

Steven Furnell, of the University of Plymouth, first did a survey of websites’ password practices in 2007, repeating the process in 2011 and 2014 — and then once more this week. His conclusions?

It is somewhat disappointing to find that the overall story in 2018 remains largely similar to that of 2007. In the intervening years, much has been written about the failings of passwords and the ways in which we use them, yet little is done to encourage or oblige us to follow the right path.

Although the university writeup notes that Google, Microsoft and Yahoo had the best password practices and Amazon, Reddit and Wikipedia had the worst, it diplomatically declined to go into specifics. Fortunately, I acquired the paper for myself and am prepared to name and shame.

The top 10 unique sites in English (as measured by Alexa; the lineup has changed somewhat over the years) were evaluated: Google, Facebook, Wikipedia, Reddit, Yahoo, Amazon, Twitter, Instagram, Microsoft Live and Netflix.

The biggest failure is inarguably Amazon, which combines truly inadequate password controls with an incredibly valuable and personal service. Wikipedia and Reddit had fewer restrictions, but neither protects such important data; an Amazon account being accessed by malicious actors is a far greater danger.

Amazon accepted practically every password Furnell threw at it, including repeats of the username, the user’s own name and, of course, the all-time classic, “password.” (Netflix and Reddit also took “password,” though Wikipedia didn’t. Wikipedia, on the other hand, accepted single-character passwords like “b.”)

Even sites that do have restrictions, like requiring multiple character types or rejecting commonly used passwords, seldom explain themselves. Presented with no feedback at the start, users creating an account may enter a password, only to be told it must be longer… and then, again, that it can’t have a certain word (like the user’s last name)… and then, again, that it must include special characters. And some sites have different requirements when you sign up than when you set a new one!

Why not lay it all out at the start? And for that matter, why not explain the reasoning behind it? It’d be trivial to make a little info box saying “We require X because Y.” But hardly any of the top sites do.

The one bit of light in this dreary report is that two-factor authentication — arguably more important than a good password — is in fact making strides, and some of the worst offenders in password policy (looking at you, Amazon) allow it. Now they just have to move it off of SMS and onto a secure authenticator app.

The final word is pretty the same as it’s been for the last decade:

The basic argument here – as with the earlier versions of the study and the others referenced – is for provision of user-facing security to be matched with accompanying support. Passwords are a good example because we know that many people are poor at using them. And yet the lesson continues to go unheeded and we continue to criticise the method and blame the users instead.

Two-factor is a start, but:

Users arguably require more encouragement – or indeed obligation – to use them. Otherwise, like passwords themselves, they will offer the potential for protection, while falling short of doing so in practice.

In other words, quit talking about how bad passwords are and do something about it!

Okta nabs ScaleFT to build out ‘Zero Trust’ security framework

Okta, the cloud identity management company, announced today it has purchased a startup called ScaleFT to bring the Zero Trust concept to the Okta platform. Terms of the deal were not disclosed.

While Zero Trust isn’t exactly new to a cloud identity management company like Okta, acquiring ScaleFT gives them a solid cloud-based Zero Trust foundation on which to continue to develop the concept internally.

“To help our customers increase security while also meeting the demands of the modern workforce, we’re acquiring ScaleFT to further our contextual access management vision — and ensure the right people get access to the right resources for the shortest amount of time,” Okta co-founder and COO Frederic Kerrest said in a statement.

Zero Trust is a security framework that acknowledges work no longer happens behind the friendly confines of a firewall. In the old days before mobile and cloud, you could be pretty certain that anyone on your corporate network had the authority to be there, but as we have moved into a mobile world, it’s no longer a simple matter to defend a perimeter when there is effectively no such thing. Zero Trust means what it says: you can’t trust anyone on your systems and have to provide an appropriate security posture.

The idea was pioneered by Google’s “BeyondCorp” principals and the founders of ScaleFT are adherents to this idea. According to Okta, “ScaleFT developed a cloud-native Zero Trust access management solution that makes it easier to secure access to company resources without the need for a traditional VPN.”

Okta wants to incorporate the ScaleFT team and, well, scale their solution for large enterprise customers interested in developing this concept, according to a company blog post by Kerrest.

“Together, we’ll work to bring Zero Trust to the enterprise by providing organizations with a framework to protect sensitive data, without compromising on experience. Okta and ScaleFT will deliver next-generation continuous authentication capabilities to secure server access — from cloud to ground,” Kerrest wrote in the blog post.

ScaleFT CEO and co-founder Jason Luce will manage the transition between the two companies, while CTO and co-founder Paul Querna will lead strategy and execution of Okta’s Zero Trust architecture. CSO Marc Rogers will take on the role of Okta’s Executive Director, Cybersecurity Strategy.

The acquisition allows the Okta to move beyond purely managing identity into broader cyber security, at least conceptually. Certainly Roger’s new role suggests the company could have other ideas to expand further into general cyber security beyond Zero Trust.

ScaleFT was founded in 2015 and has raised $2.8 million over two seed rounds, according to Crunchbase data.

3D printed guns are now legal… What’s next?

On Tuesday, July 10, the DOJ announced a landmark settlement with Austin-based Defense Distributed, a controversial startup led by a young, charismatic anarchist whom Wired once named one of the 15 most dangerous people in the world.

Hyper-loquacious and media-savvy, Cody Wilson is fond of telling any reporter who’ll listen that Defense Distributed’s main product, a gun fabricator called the Ghost Gunner, represents the endgame for gun control, not just in the US but everywhere in the world. With nothing but the Ghost Gunner, an internet connection, and some raw materials, anyone, anywhere can make an unmarked, untraceable gun in their home or garage. Even if Wilson is wrong that the gun control wars are effectively over (and I believe he is), Tuesday’s ruling has fundamentally changed them.

At about the time the settlement announcement was going out over the wires, I was pulling into the parking lot of LMT Defense in Milan, IL.

LMT Defense, formerly known as Lewis Machine & Tool, is as much the opposite of Defense Distributed as its quiet, publicity-shy founder, Karl Lewis, is the opposite of Cody Wilson. But LMT Defense’s story can be usefully placed alongside that of Defense Distributed, because together they can reveal much about the past, present, and future of the tools and technologies that we humans use for the age-old practice of making war.

The legacy machine

Karl Lewis got started in gunmaking back in the 1970’s at Springfield Armory in Geneseo, IL, just a few exits up I-80 from the current LMT Defense headquarters. Lewis, who has a high school education but who now knows as much about the engineering behind firearms manufacturing as almost anyone alive, was working on the Springfield Armory shop floor when he hit upon a better way to make a critical and failure-prone part of the AR-15, the bolt. He first took his idea to Springfield Armory management, but they took a pass, so he rented out a small corner in a local auto repair ship in Milan, bought some equipment, and began making the bolts, himself.

Lewis worked in his rented space on nights and weekends, bringing the newly fabricated bolts home for heat treatment in his kitchen oven. Not long after he made his first batch, he landed a small contract with the US military to supply some of the bolts for the M4 carbine. On the back of this initial success with M4 bolts, Lewis Machine & Tool expanded its offerings to include complete guns. Over the course of the next three decades, LMT grew into one of the world’s top makers of AR-15-pattern rifles for the world’s militaries, and it’s now in a very small club of gunmakers, alongside a few old-world arms powerhouses like Germany’s Heckler & Koch and Belgium’s FN Herstal, that supplies rifles to US SOCOM’s most elite units.

The offices of LMT Defense, in Milan, Ill. (Image courtesy Jon Stokes)

LMT’s gun business is built on high-profile relationships, hard-to-win government contracts, and deep, almost monk-like know-how. The company lives or dies by the skill of its machinists and by the stuff of process engineering — tolerances and measurements and paper trails. Political connections are also key, as the largest weapons contracts require congressional approval and months of waiting for political winds to blow in this or that direction, as countries to fall in and out of favor with each other, and paperwork that was delayed due to a political spat over some unrelated point of trade or security finally gets put through so that funds can be transfered and production can begin.

Selling these guns is as old-school a process as making them is. Success in LMT’s world isn’t about media buys and PR hits, but about dinners in foreign capitals, range sessions with the world’s top special forces units, booths at trade shows most of us have never heard of, and secret delegations of high-ranking officials to a machine shop in a small town surrounded by corn fields on the western border of Illinois.

The civilian gun market, with all of its politics- and event-driven gyrations of supply and demand, is woven into this stable core of the global military small arms market the way vines weave through a trellis. Innovations in gunmaking flow in both directions, though nowadays they more often flow from the civilian market into the military and law enforcement markets than vice versa. For the most part, civilians buy guns that come off the same production lines that feed the government and law enforcement markets.

All of this is how small arms get made and sold in the present world, and anyone who lived through the heyday of IBM and Oracle, before the PC, the cloud, and the smartphone tore through and upended everything, will recognize every detail of the above picture, down to the clean-cut guys in polos with the company logo and fat purchase orders bearing signatures and stamps and big numbers.

The author with LMT Defense hardware.

Guns, drugs, and a million Karl Lewises

This is the part of the story where I build on the IBM PC analogy I hinted at above, and tell you that Defense Distributed’s Ghost Gunner, along with its inevitable clones and successors, will kill dinosaurs like LMT Defense the way the PC and the cloud laid waste to the mainframe and microcomputer businesses of yesteryear.

Except this isn’t what will happen.

Defense Distributed isn’t going to destroy gun control, and it’s certainly not going to decimate the gun industry. All of the legacy gun industry apparatus described above will still be there in the decades to come, mainly because governments will still buy their arms from established makers like LMT. But surrounding the government and civilian arms markets will be a brand new, homebrew, underground gun market where enthusiasts swap files on the dark web and test new firearms in their back yards.

The homebrew gun revolution won’t create a million untraceable guns so much as it’ll create a hundreds of thousands of Karl Lewises — solitary geniuses who had a good idea, prototyped it, began making it and selling it in small batches, and ended up supplying a global arms market with new technology and products.

In this respect, the future of guns looks a lot like the present of drugs. The dark web hasn’t hurt Big Pharma, much less destroyed it. Rather, it has expanded the reach of hobbyist drugmakers and small labs, and enabled a shadow world of pharmaceutical R&D that feeds transnational black and gray markets for everything from penis enlargement pills to synthetic opioids.

Gun control efforts in this new reality will initially focus more on ammunition. Background checks for ammo purchases will move to more states, as policy makers try to limit civilian access to weapons in a world where controlling the guns themselves is impossible.

Ammunition has long been the crack in the rampart that Wilson is building. Bullets and casings are easy to fabricate and will always be easy to obtain or manufacture in bulk, but powder and primers are another story. Gunpowder and primers are the explosive chemical components of modern ammo, and they are difficult and dangerous to make at home. So gun controllers will seize on this and attempt to pivot to “bullet control” in the near-term.

Ammunition control is unlikely to work, mainly because rounds of ammunition are fungible, and there are untold billions of rounds already in civilian hands.

In addition to controls on ammunition, some governments will also make an effort at trying to force the manufacturers of 3D printers and desktop milling machines (the Ghost Gunner is the latter) to refuse to print files for gun parts.

This will be impossible to enforce, for two reasons. First, it will be hard for these machines to reliably tell what’s a gun-related file and what isn’t, especially if distributors of these files keep changing them to defeat any sort of detection. But the bigger problem will be that open-source firmware will quickly become available for the most popular printing and milling machines, so that determined users can “jailbreak” them and use them however they like. This already happens with products like routers and even cars, so it will definitely happen with home fabrication machines should the need arise.

Ammo control and fabrication device restrictions having failed, governments will over the longer term employ a two-pronged approach that consists of possession permits and digital censorship.

Photo courtesy of Getty Images: Jeremy Saltzer / EyeEm

First, governments will look to gun control schemes that treat guns like controlled substances (i.e. drugs and alchohol). The focus will shift to vetting and permits for simple possession, much like the gun owner licensing scheme I outlined in Politico. We’ll give up on trying to trace guns and ammunition, and focus more on authorizing people to possess guns, and on catching and prosecuting unauthorized possession. You’ll get the firearm equivalent of a marijuana card from the state, and then it won’t matter if you bought your gun from an authorized dealer or made it yourself at home.

The second component of future gun control regimes will be online suppression, of the type that’s already taking place on most major tech platforms across the developed world. I don’t think DefCad.com is long for the open web, and it will ultimately have as hard a time staying online as extremist sites like stormfront.org.

Gun CAD files will join child porn and pirated movies on the list of content it’s nearly impossible to find on big tech platforms like Facebook, Twitter, Reddit, and YouTube. If you want to trade these files, you’ll find yourself on sites with really intrusive advertising, where you worry a lot about viruses. Or, you’ll end up on the dark web, where you may end up paying for a hot new gun design with a cryptocurrency. This may be an ancap dream, but won’t be mainstream or user-friendly in any respect.

As for what comes after that, this is the same question as the question of what comes next for politically disfavored speech online. The gun control wars have now become a subset of the online free speech wars, so whatever happens with online speech in places like the US, UK, or China will happen with guns.

Ransomware technique uses your real passwords to trick you

A few folks have reported a new ransomware technique that preys upon corporate inability to keep passwords safe. The notes – which are usually aimed at instilling fear – are simple: the hacker says “I know that your password is X. Give me a bitcoin and I won’t blackmail you.”

Programer Can Duruk reported getting the email today.

The email reads:

I’m aware that X is your password.

You don’t know me and you’re thinking why you received this e mail, right?

Well, I actually placed a malware on the porn website and guess what, you visited this web site to have fun (you know what I mean). While you were watching the video, your web browser acted as a RDP (Remote Desktop) and a keylogger which provided me access to your display screen and webcam. Right after that, my software gathered all your contacts from your Messenger, Facebook account, and email account.

What exactly did I do?

I made a split-screen video. First part recorded the video you were viewing (you’ve got a fine taste haha), and next part recorded your webcam (Yep! It’s you doing nasty things!).

What should you do?

Well, I believe, $1400 is a fair price for our little secret. You’ll make the payment via Bitcoin to the below address (if you don’t know this, search “how to buy bitcoin” in Google) .

BTC Address: 1Dvd7Wb72JBTbAcfTrxSJCZZuf4tsT8V72
(It is cAsE sensitive, so copy and paste it)

Important:

You have 24 hours in order to make the payment. (I have an unique pixel within this email message, and right now I know that you have read this email). If I don’t get the payment, I will send your video to all of your contacts including relatives, coworkers, and so forth. Nonetheless, if I do get paid, I will erase the video immidiately. If you want evidence, reply with “Yes!” and I will send your video recording to your 5 friends. This is a non-negotiable offer, so don’t waste my time and yours by replying to this email.

To be clear there is very little possibility that anyone has video of you cranking it unless, of course, you video yourself cranking it. Further, this is almost always a scam. That said, the fact that the hackers are able to supply your real passwords – most probably gleaned from the multiple corporate break-ins that have happened over the past few years – is a clever change to the traditional cyber-blackmail methodology.

Luckily, the hackers don’t have current passwords.

“However, all three recipients said the password was close to ten years old, and that none of the passwords cited in the sextortion email they received had been used anytime on their current computers,” wrote researcher Brian Krebs. In short, the password files the hackers have are very old and outdated.

To keep yourself safe, however, cover your webcam when not in use and change your passwords regularly. While difficult, there is nothing else that can keep you safer than you already are if you use two-factor authentication and secure logins.

Facial recognition startup Kairos acquires Emotion Reader

Kairos, the face recognition technology used for brand marketing, has announced the acquisition of EmotionReader.

EmotionReader is an Limerick, Ireland-based startup that uses algorithms to analyze facial expressions around video content. The startup allows brands and marketers to measure viewers emotional response to video, analyze viewer response via an analytics dashboard, and make different decisions around media spend based on viewer response.

The acquisition makes sense considering that Kairos core business is focused on facial identification for enterprise clients. Knowing who someone is, paired with how they feel about your content, is a powerful tool for brands and marketers.

The idea for Kairos started when founder Brian Brackeen was making HR time-clocking systems for Apple. People were cheating the system, so he decided to implement facial recognition to ensure that employees were actually clocking in and out when they said they were.

That premise spun out into Kairos, and Brackeen soon realized that facial identification as a service was much more powerful than any niche time clocking service.

But Brackeen is very cautious with the technology Kairos has built.

While Kairos aims to make facial recognition technology (and all the powerful insights that come with it) accessible and available to all businesses, Brackeen has been very clear about the fact that Kairos isn’t interested in selling this technology to government agencies.

Brackeen recently contributed a post right here on TechCrunch outlining the various reasons why governments aren’t ready for this type of technology. Alongside the outstanding invasion of personal privacy, there are also serious issues around bias against people of color.

From the post:

There is no place in America for facial recognition that supports false arrests and murder. In a social climate wracked with protests and angst around disproportionate prison populations and police misconduct, engaging software that is clearly not ready for civil use in law enforcement activities does not serve citizens, and will only lead to further unrest.

As part of the deal, EmotionReader CTO Dr. Stephen Moore will run Kairos’ new Singapore-based R&D center, allowing for upcoming APAC expansion.

Kairos has raised approximately $8 million from investors New World Angels, Kapor Capital, 500 Startups, Backstage Capital, Morgan Stanley, Caerus Ventures, and Florida Institute.

Court victory legalizes 3D-printable gun blueprints

A multi-year legal battle over the ability to distribute computer models of gun parts and replicate them in 3D printers has ended in defeat for government authorities who sought to prevent the practice. Cody Wilson, the gunmaker and free speech advocate behind the lawsuit, now intends to expand his operations, providing printable gun blueprints to all who desire them.

The longer story of the lawsuit is well told by Andy Greenberg over at Wired, but the decision is eloquent on its own. The fundamental question is whether making 3D models of gun components available online is covered by the free speech rights granted by the First Amendment.

This is a timely but complex conflict because it touches on two themes that happen to be, for many, ethically contradictory. Arguments for tighter restrictions on firearms are, in this case, directly opposed to arguments for the unfettered exchange of information on the internet. It’s hard to advocate for both here: restricting firearms and restricting free speech are one and the same.

That at least seems to be conclusion of the government lawyers, who settled Wilson’s lawsuit after years of court battles. In a copy of the settlement provided to me by Wilson, the U.S. government agrees to exempt “the technical data that is the subject of the Action” from legal restriction. The modified rules should appear in the Federal Register soon.

What does this mean? It means that a 3D model that can be used to print the components of a working firearm is legal to own and legal to distribute. You can likely even print it and use the product — you just can’t sell it. There are technicalities to the law here (certain parts are restricted, but can be sold in an incomplete state, etc.), but the implications as regards the files themselves seems clear.

Wilson’s original vision, which he is now pursuing free of legal obstacles, is a repository of gun models, called DEFCAD, much like any other collection of data on the web, though naturally considerably more dangerous and controversial.

“I currently have no national legal barriers to continue or expand DEFCAD,” he wrote in an email to TechCrunch. “This legal victory is the formal beginning to the era of downloadable guns. Guns are as downloadable as music. There will be streaming services for semi-automatics.”

The concepts don’t map perfectly, no doubt, but it’s hard to deny that with the success of this lawsuit, there are few legal restrictions to speak of on the digital distribution of firearms. Before it even, there were few technical restrictions: certainly just as you could download MP3s on Napster in 2002, you can download a gun file today.

Gun control advocates will no doubt argue that greater availability of lethal weaponry is the opposite of what is needed in this country. But others will point out that in a way this is a powerful example of how liberally free speech can be defined. It’s important to note that both of these things can be true.

This court victory settles one case, but marks the beginnings of many another. “I have promoted my values for years with great care and diligence,” Wilson wrote. It’s hard to disagree with that. Those whose values differ are free to pursue them in their own way; perhaps they too will be awarded victories of this scale.

Apple releases new iPad, FaceID ads

Apple has released a handful of new ads promoting the iPad’s portability and convenience over both laptops and traditional paper solutions. The 15-second ads focus on how the iPad can make even the most tedious things — travel, notes, paperwork, and ‘stuff’ — just a bit easier.

Three out of the four spots show the sixth-generation iPad, which was revealed at Apple’s education event in March, and which offers a lower-cost ($329 in the U.S.) option with Pencil support.

The ads were released on Apple’s international YouTube channels (UAE, Singapore, and United Kingdom).

This follows another 90-second ad released yesterday, focusing on FaceID. The commercial shows a man in a gameshow-type setting asked to remember the banking password he created earlier that morning. He struggles for an excruciating amount of time before realizing he can access the banking app via FaceID.

There has been some speculation that FaceID may be incorporated into some upcoming models of the iPad, though we’ll have to wait until Apple’s next event (likely in September) to find out for sure.

Timehop discloses July 4 data breach affecting 21 million

Timehop has disclosed a security breach that has compromised the personal data (names and emails) of 21 million users. Around a fifth of the affected users — or 4.7M — have also had a phone number that was attached to their account breached in the attack.

The startup, whose service plugs into users’ social media accounts to resurface posts and photos they may have forgotten about, says it discovered the attack while it was in progress, at 2:04 US Eastern Time on July 4, and was able to shut it down two hours, 19 minutes later — albeit, not before millions of people’s data had been breached.

According to its preliminary investigation of the incident, the attacker first accessed Timehop’s cloud environment in December — using compromised admin credentials, and apparently conducting reconnaissance for a few days that month, and again for another day in March and one in June, before going on to launch the attack on July 4, during a US holiday.

Timehop publicly disclosed the breach in a blog post on Saturday, several days after discovering the attack.

It says no social media content, financial data or Timehop data was affected by the breach — and its blog post emphasizes that none of the content its service routinely lifts from third party social networks in order to present back to users as digital “memories” was affected.

However the keys that allow it to read and show users their social media content were compromised — so it has all keys deactivated, meaning Timehop users will have to re-authenticate to its App to continue using the service.

“If you have noticed any content not loading, it is because Timehop deactivated these proactively,” it writes, adding: “We have no evidence that any accounts were accessed without authorization.”

It does also admit that the tokens could “theoretically” have been used for unauthorized users to access Timehop users’ own social media posts during “a short time window” — although again it emphasizes “we have no evidence that this actually happened”.

“We want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile,” it adds.

“The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content — and we delete our copies of your “Memories” after you’ve seen them.”

In terms of how its network was accessed, it appears that the attacker was able to compromise Timehop’s cloud computing environment by targeting an account that had not been protected by multifactor authentication.

That’s very clearly a major security failure — but one Timehop does not explicitly explain, writing only that: “We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.”

Part of its formal incident response, which it says began on July 5, was also to add multifactor authentication to “all accounts that did not already have them for all cloud-based services (not just in our Cloud Computing Provider)”. So evidently there was more than one vulnerable account for attackers to target.

Its exec team will certainly have questions to answer about why multifactor authentication was not universally enforced for all its cloud accounts.

For now, by way of explanation, it writes: “There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades.” Which does have a distinct ‘stable door being locked after the horse has bolted’ feel to it.

It also writes that it carried out “the introduction of more pervasive encryption throughout our environment” — so, again, questions should be asked why it took an incident response to trigger a “more pervasive” security overhaul.

Also not entirely clear from Timehop’s blog post: When/if affected users were notified their information has been breached.

The company posed the blog post disclosing the security breach to its Twitter account on July 8. But prior to that its Twitter account was only noting that some “unscheduled maintenance” might be causing problems for users accessing the app…

We’ve reached out to the company with questions and will update this post with any response.

Timehop does say that at the same time as it was working to shut down the attack and tighten up its security, company executives contacted local and federal law enforcement officials — presumably to report the breach.

Breach reporting requirements are baked into Europe’s recently updated data protection framework, the GDPR, which puts the onus firmly on data controllers to disclose breaches to supervisory authorities — and to do so quickly — with the regulation setting a universal standard of within 72 hours of becoming aware of it (unless the personal data breach is unlikely to result in “a risk to the rights and freedoms of natural persons”).

Referencing GDPR, Timehop writes: “Although the GDPR regulations are vague on a breach of this type (a breach must be “likely to result in a risk to the rights and freedoms of the individuals”), we are being pro-active and notifying all EU users and have done so as quickly as possible. We have retained and have been working closely with our European-based GDPR specialists to assist us in this effort.”

The company also writes that it has engaged the services of an (unnamed) cyber threat intelligence company to look for evidence of use of the email addresses, phone numbers, and names of users being posted or used online and on the Dark Web — saying that “while none have appeared to date, it is a high likelihood that they will soon appear”.

Timehop users who are worried the network intrusion and data breach might have impact their “Streak” — aka the number Timehop displays to denote how many consecutive days they have opened the app — are being reassured by the company that “we will ensure all Streaks remain unaffected by this event”.

RIP “crypto”

RIP “crypto”. You had a good run.

This week veteran cryptographer Matt Blaze, finally gave in — to what must have been a near-constant, low-level drone of ‘CAn Buy Crypto.com???$$$$!’ spam — and sold the pithy domain name he registered in 1993, in the midst of the PC era crypto wars, to use as an encryption policy resource, to Monaco, a Zug, Switzerland-based payments and cryptocurrency platform startup whose self-styled mission is “accelerating the world’s transition to cryptocurrency”, positioning itself at the nexus of the current crypto craze.

So crypto.com now points to cryptocurrencies.

Which seems a fitting moment to say RIP “crypto” as shorthand terminology for an entire domain of cryptographic work that underpins so many more things than just Bitcoin or Ether or Ripple or Litecoin or Zcash — or any of the myriad digital coins that have winked (and more recently minted) into virtual existence over the last decade or so, hoping to hit the crypto jackpot.

Frankly this is not at all fair. But, linguistically, so it goes. Languages live or they die. And to live in linguistic terms means to shift your meaning as word usage ebbs and flows.

The sale of crypto.com tells us not so much that money talks, though clearly there’s that too — domain sellers were speculating that the price for crypto.com could have been a cool $5M-$10M, per this Verge report from March; though the actual price-tag paid by Monaco has not been disclosed.

Mostly it underlines that trying to push as an individual against a surging tide is hopeless. Principled, one-man-stands of linguistic resistance against the crypto(currency) craze are futile at this particular juncture of its technological development. Spam with no end in sight would worry the will of anyone.

So apologies also to the few folks who have written to complain about incorrect use of “crypto” in TC headlines. Using “cryptocurrency” is indeed more accurate if that’s what the story is about. But as a term it’s headline-unfriendly as well as being really quite a horrible mouthful.

And, well, “coin” is too generic unless you’re coin trade press.

Alternative linguistic confections — anyone for ‘cryptoc’? — were never going to fly. So cryptocurrency colloquially colonizing “crypto” was really only a matter of time, given how many joules of attention-energy are being claimed and drained in its name.

Turns out language change can have plenty to do with the price of Bitcoin.

On the flip side, any craze can be a fleeting thing, and it’s entirely possible that, in time, “crypto” could revert to its proper meaning of cryptography should the cryptocurrency hype die back, as hype is wont to do when people get bored — because something that was new and novel becomes properly understood and adopted (and thus less of a conversation starter).

Sustained acceptance can make tongue-tripping nicknames less necessary, and reset the linguistic order.

Equally, though, a nickname can stubbornly stick around for ages — outlasting any nonprofessional understanding of the logic underlying its coinage.

Or at least until evolving usage causes another terminology shift. Think, for example, of the rhythmic swings of “telephone” -> “phone” -> “mobile phone” -> “mobile”.

Crypto(currency) could ultimately even lose the ‘crypto’ prefix should the technology end up becoming so ubiquitous as to be considered synonymous with the generic term “currency”, and usurp/displace that word, sinking back into the accepted conceptual morass that envelopes the idea of money.

Of course the crypto(graphy) community have not been at all happy about the linguistic sands shifting treacherously under their foundational field.

And they do have a point, given that without their founding crypto there could be no, er, ‘crypto’…

“”Crypto” could mean encryption, cryptography, or cryptology, but never cryptocurrency,” one computing academic tells us, adding: “I’ve heard plenty of whinging about the changed meaning of “crypto” and I don’t expect a dignified fall-back.”

“Normal usage says “encryption” is only one application of “cryptography” (building schemes for encryption and similar apps) which together with “cryptanalysis” (trying to break such schemes) makes up “cryptology”,” he adds.

Certainly, don’t expect the original crypto community to migrate to alternative terminology — not willingly, and not anytime soon. Which will probably make for some confused messaging at times. But technology applying pressure points to human communications is just par for the course.

As recently as last month the content on Blaze’s (now former) website included the express declaration that: “This site does not trade in or provide services related to cryptocurrencies. It is concerned with cryptography, computer and network security, and technology policy research.”

It further capped that caveat with an explicit disclaimer — writing: “Warning: Many cryptocurrencies are scams, and I strongly advise against their use as investment vehicles.”

Visitors to crypto.com now will not encounter any such caveats. But most of these folks probably weren’t headed there looking for cautionary tales. Nor seeking Blaze’s contact details. So you really can’t blame him for moving with the times.

For the original crypto community, playing the long game and waiting for the upstart crypto usurper to get linguistically cut back down to size seems the best option.

Sure, they’ve lost this “crypto” war — but many more important crypto wars remain to be fought and (hopefully) won.

And of course, in the far-flung future, who knows how 2018’s crypto craze will be viewed? Perhaps as the pinnacle of a hype-cycle that didn’t end in the wholesale reconfiguration of business and society that the crypto oracles promise, even if they managed to shift the conversation of a certain IT crowd for a while.

On another level, given rising levels of tech-fueled disruptive uncertainty crisscrossing so many facets of life, perhaps it’s fitting for “crypto” to become something of a cipher itself, devoid of fixed meaning.

“Encryption technology is the key to the future of the information revolution,” wrote Blaze in 1996. “It allows businesses and individuals to communicate securely over any inexpensive communication platform without fear of eavesdropping.”

That sentiment at least remains constant.