Connect with us

Biz & IT

Blindlee is Chatroulette for dating with a safety screen

Published

on

Make space for another dating app in your single life: Blindlee is Chatroulette for dating but with female-friendly guardrails in the form of a user-controlled video blur effect.

The idea is pretty simple: Singles are matched randomly with another user who meets some basic criteria (age, location) for a three minute ‘ice breaker’ video call. The app suggests chat topics — like ‘pineapple on pizza, yay or nay’ — to get the conversation flowing. After this, each caller chooses whether or not to match — and if both match they can continue to chat via text.

The twist is that the video call is the ‘first contact’ medium for determining whether it’s a match or not. The call also starts “100% blurred” — for obvious, ‘dick pic’ avoidance reasons.

Blindlee says female users have control of the level of blur during the call — meaning they can elect to reduce it to 75%, 50%, 25% or nothing if they like what they’re (partially) seeing and hearing. Though their interlocutor also has to agree to the reduction so neither side can unilaterally rip the screen away.

Dating apps continue to be a bright spot for experimental ideas, despite category giants like Tinder dominating with a much cloned swipe-to-match formula. Tech giant Facebook also now has its own designs on the space. But turns out there’s no fixed formula for finding love or chemistry.

All the data in the world can’t necessarily help with that problem. So a tiny, bootstrapping startup like Blindlee could absolutely hit on something inspired that Tinder or Facebook hasn’t thought of (or else feels it can’t implement across a larger user-base).

Co-founder Sacha Nasan also reckons there’s space for supplementary dating apps.

“We’re focusing on blind dating which is a subset of dating so you can say that indirectly rather than directly we are competing with the big dating apps (Tinder etc). This is more niche and is definitely a new, untried concept to the dating world,” he argues. “However the good thing about dating apps is that they are not substitutes but complements.

“Just like people may have installed Uber on their phone but also Hailo and Lyft, people have multiple datings app installed as well (to maximise their chances of finding a partner) and that is an advantage. Nonetheless we still think that we only indirectly compete with other dating apps.”

Using a blur effect to preserve privacy is not in itself entirely a new idea. For example Muzmatch, a YC-backed dating app focused on matchmaking Muslims, offers a blur feature to users not wanting to put their profile photos out there for any other user to see.

But Blindlee is targeting a more general dating demographic. Though Nasan says it does plan to expand matching filters, if/when it can grow its user-base, to include additional criteria such as religion.

“The target is anyone above 18 (for legal reasons) and from the data we see most users are under 30,” he says. “So this covers university students to young professionals. On the spectrum of dating apps where ‘left’ would be hookups apps (like Tinder used to be) and ‘right’ would be relationship app (like Hinge), we position ourself more on the right side (a relationship app).”

Blindlee is also using video as the chemistry-channeling medium to help users decide if they match or not.

This is clever because it’s still a major challenge to know if you’ll click with an Internet stranger in real life with only a digitally mediated version of the person to go on. At least live on camera there’s only so much faking that can be done — well, unless the person is a professional actor or scammer.

And while plunging into a full-bore videochat with a random might sound a bit much, a blurry teaser with conversation prompts looks fairly low risk.

The target user for Blindlee is also likely to have grown up online and with smartphones and Internet video culture. A videocall should therefore be a pretty comfortable medium of expression for these singles.

“The idea came from my experience in the app world (since the age of 14) combined with a situation where my cousin… went on a date from one of the dating apps where the man who showed up was about 15 years older. The man had used old pictures on his profile,” explains Nasan. “That’s just one story and there are plenty like these so I grew tired of the sometimes fake and superficial aspect of the online dating world. Together with my cousin’s brother [co-founder, Glenn Keller] we decided to develop Blindlee to make the process more transparent and safer but also fun.

“Blindee makes for a fun three-minute blurred video experience with a random person matching your criteria. It’s kind of like a short, pre-date ice-breaker before you potentially match and decide to meet in real life. And we put control of the blur filter in the woman’s hand to make it safer for women (but also because if the men would have control they would straight away ask to unblur it — and we have tested this!).”

The app is a free download for now but the plan is to move to a freemium model with a limit on the number of free video chats per day — charging a monthly subscription to unlock more than three daily calls.

“This will be priced cheap around £3-4/month compared to usual dating premium subscription which cost £10+ a month,” he says. “We basically look at this income as a way of paying the server bills (as every minute of video costs us).”

The London-based startup was founded in March and launched the app in October on iOS, adding an Android version earlier this month. Nasan says they’ve picked up around 5,000 registered users so far with only minimal marketing — such as dropping flyers on London university campuses.

While they’re bootstrapping the launch he says they may look to take in angel funding “as we see growth picking up”.

Source link



Source link

Continue Reading

Biz & IT

Starlink dishes go into “thermal shutdown” once they hit 122° Fahrenheit

Published

on

Enlarge / Starlink satellite dish and equipment in the Idaho panhandle’s Coeur d’Alene National Forest.

A Starlink beta user in Arizona said he lost Internet service for over seven hours yesterday when the satellite dish overheated, demonstrating one of the drawbacks of SpaceX’s broadband service. When the user’s Internet service was disrupted, the Starlink app provided an error message saying, “Offline: Thermal shutdown.” The dish “overheated” and “Starlink will reconnect after cooling down,” the error message said.

The user, named Martin, posted a screenshot of the error message on Reddit. He contacted Starlink support, which told him, “Dishy will go into thermal shutdown at 122F and will restart when it reaches 104F.” Martin decided to give the dish a little water so it could cool down. He pointed a sprinkler at Dishy, and once it cooled enough to turn back on, “I immediately heard YouTube resume playback,” he wrote yesterday.

But the Internet restoration was short-lived, Martin told Ars in a chat today.

“The fix was temporary,” he told us. “When I stopped the sprinkler, [the dish] heated back up and would cycle back on for a few minutes and go back down for thermal shutdown. The overheating started that day about 11:30 am and came back for good about 7 pm… I’m currently headed to a hardware store to get materials to build a solar shade/sail around the dish to see if it doesn’t impact connection and speed.”

Martin uses the ground behind his house to set up his dish because it is the only spot with no obstructions. But there’s “no shade to speak of,” he wrote in the Reddit comment thread.

Thermal shutdowns affect other users

Officially, SpaceX has said that “Dishy McFlatface” is certified to operate from 22° below zero up to 104° Fahrenheit. Temperatures reached about 120° yesterday in Martin’s town of Topock, near Arizona’s border with California, he said. Though Dishy doesn’t go into thermal shutdown until it hits 122°, the dish can obviously get hotter than the air temperature.

“I’m thinking the radiating heat from the ground is effectively cooking the bottom of the dish, [while] the top of the dish is cooked by the sun,” Martin told Ars. In addition to the shade he’s building, Martin said he is “waiting for permitting for a HAM radio tower” that would lift the dish off the ground to help keep it cool enough to operate.

Martin said he also had very short outages on several days since last week, but service came back before he had time to confirm whether they were caused by heat. SpaceX told users to expect periodic outages during beta, so Martin’s previous outages could have been due either to heat or satellite availability.

Another user in Virginia experienced a half-hour outage due to overheating on a day with temperatures in the low 80s, according to a Reddit post two months ago.

Martin’s post spurred a response from a beta user who also reported thermal shutdowns. “You’re not the only one. My Starlink is located 50 miles south of Grand Canyon in remote area,” one person wrote yesterday. “It’s been off and on also. It stopped today one hour after cool down period but quit again as [of] ~12:30. Last reported temp at my weather station was 103 degrees.”

The 122° F shutdown temperature was mentioned three weeks ago in a Reddit post by a user who had also been given the figure by Starlink support. “‘That’s it??’ was my thought. On a 90 degree day, the rooftop of my house can be around 125 degrees,” that user wrote.

“Are you sure that wasn’t Celsius?” another asked. (122° C converts to 251.6° F.)

Like Martin, other Starlink users may have to find creative ways to keep their dishes cool as the summer months arrive.

Dishy’s heat management

As we wrote in December, a teardown of Dishy McFlatface showed some of its heat-management components, including a metal shield that’s peppered with blue dots made of thermally conductive material that conducts heat away from the PCB and into the shield.

Ken Keiter, the engineer who performed the teardown, was interviewed by Vice’s Motherboard section for a story about the Arizona resident today:

Keiter told Motherboard that while reasonable consideration was given to heat dissipation in Dishy’s design, he could see the potential for problems.

“The phased array assembly comprises a PCBA (printed circuit board assembly) adhered to an aluminum backplate which serves several purposes—acting as RF shielding, providing structural rigidity and, most relevantly, acting as a radiative thermal mass (heat sink) for the components on the PCBA,” Keiter said.

Heat is funneled from the circuit board to the aluminum backplate using a foam-like thermal interface material (TIM). The backplate itself resides in a weather-sealed cavity containing a small amount of air. As this backplate heats up, the air surrounding it also heats, transferring thermal energy via the plastic enclosure to the outside environment, Keiter said.

“Here’s the problem: at some point, the combined thermal energy being absorbed by Dishy’s face and being dumped by the components into the backplate, the air surrounding it, and the enclosure exceeds the amount that is being dissipated to the outside environment,” he noted.

Keiter said that software changes could “make the system more thermally efficient” but that it’s possible SpaceX will need to make “a significant hardware revision for the commercial launch.” He called it “a really tricky engineering problem with some insanely tight constraints.”

We contacted SpaceX today and will update this article if we get a response.

SpaceX seeks stability before exiting beta

The Starlink public beta began in October 2020, and there’s still no word on when exactly it will hit commercial availability. But the service could happen within months, as SpaceX CEO Elon Musk has said that Starlink will be available to “most of Earth” by the end of 2021 and the whole planet by next year. Still, SpaceX expects to have a limited number of slots in each geographic region because of capacity constraints.

SpaceX is seeking Federal Communications Commission permission to deploy up to 5 million user terminals in the US. Over 500,000 people have ordered Starlink, and Musk has said he expects all of those users to get service. But he also said that SpaceX will face “more of a challenge when we get into the several million user range.” The biggest limitation would be in densely populated urban areas; rural users would have better odds of getting service.

As noted earlier, Starlink warns beta users to expect “brief periods of no connectivity at all”—even if they don’t run into thermal shutdowns. “We still have a lot of work to do to make the network reliable,” SpaceX president and COO Gwynne Shotwell said in April. “We still have drops, not necessarily just because of where the satellites are in the sky.” SpaceX will keep the service in beta “until the network is reliable and great and something we’d be proud of,” Shotwell said.

The Verge reviewed Starlink last month and found frustrating reliability problems. “Like the similarly over-hyped mmWave 5G, Starlink is remarkably delicate. Even a single tree blocking the dish’s line of sight to the horizon will degrade and interrupt your Starlink signal,” The Verge wrote.

Starlink is only part of the solution

The service will surely become more stable by the time SpaceX moves it from beta to general availability, as Shotwell promised. Even in beta, Starlink is providing much-needed connectivity to people with no other options. If SpaceX brings reliable broadband to a few million users, that would be a success, but there may be tens of millions of Americans without access to high-speed broadband. Tens of millions of others have to pay whatever the cable company demands because there’s no competition where they live.

Widespread fiber-to-the-home deployment would make a bigger difference for more Internet users than Starlink. President Joe Biden pledged to lower prices and deploy “future-proof” broadband to all Americans, but he’s already scaled back his plan in the face of opposition from Republicans and incumbent ISPs. AT&T has been lobbying against nationwide fiber and funding for municipal networks, and AT&T CEO John Stankey expressed confidence last week that Congress will steer legislation in the direction that AT&T favors.

Continue Reading

Biz & IT

Nameless malware collects 1.2TB of sensitive data and stashes it online

Published

on

Researchers have discovered yet another massive trove of sensitive data, a dizzying 1.2TB database containing login credentials, browser cookies, autofill data, and payment information extracted by malware that has yet to be identified.

In all, researchers from NordLocker said on Wednesday, the database contained 26 million login credentials, 1.1 million unique email addresses, more than 2 billion browser cookies, and 6.6 million files. In some cases, victims stored passwords in text files created with the Notepad application.

The stash also included over 1 million images and more than 650,000 Word and .pdf files. Additionally, the malware made a screenshot after it infected the computer and took a picture using the device’s webcam. Stolen data also came from apps for messaging, email, gaming, and file-sharing. The data was extracted between 2018 and 2020 from more than 3 million PCs.

A booming market

The discovery comes amid an epidemic of security breaches involving ransomware and other types of malware hitting large companies. In some cases, including the May ransomware attack on Colonial Pipeline, hackers first gained access using compromised accounts. Many such credentials are available for sale online.

Alon Gal—co-founder and CTO of security firm Hudson Rock—said that in many cases, such data such is first collected by stealer malware installed by an attacker attempting to steal cryptocurrency or commit a similar type of crime.

The attacker “will likely then try to steal cryptocurrencies, and once he is done with the information, he will sell to groups whose expertise is ransomware, data breaches, and corporate espionage,” Gal told me. “These stealers are capturing browser passwords, cookies, files, and much more and sending it to the [command and control server] of the attacker.”

NordLocker researchers said there’s no shortage of sources for attackers to secure such information.

“The truth is, anyone can get their hands on custom malware,” the researchers wrote. “It’s cheap, customizable, and can be found all over the web. Dark web ads for these viruses uncover even more truth about this market. For instance, anyone can get their own custom malware and even lessons on how to use the stolen data for as little as $100. And custom does mean custom—advertisers promise that they can build a virus to attack virtually any app the buyer needs.”

NordLocker hasn’t been able to identify the malware used in this case. Gal said that from 2018 to 2019, widely used malware included Azorult and, more recently, an info stealer known as Raccoon. Once infected, a PC will regularly send pilfered data to a command and control server operated by the attacker.

In all, the malware collected account credentials for almost 1 million sites, including Facebook, Twitter, Amazon, and Gmail. Of the 2 billion cookies extracted, 22 percent remained valid at the time of the discovery. The files can be useful in piecing together the habits and interests of the victim, and if the cookies are used for authentication, they give access to the person’s online accounts. NordLocker provides other figures here.

People who want to determine if their data got swept up by the malware can check the Have I Been Pwned breach notification service.

Continue Reading

Biz & IT

Hackers can mess with HTTPS connections by sending data to your email server

Published

on

When you visit an HTTPS-protected website, your browser doesn’t exchange data with the webserver until it has ensured that the site’s digital certificate is valid. That prevents hackers with the ability to monitor or modify data passing between you and the site from obtaining authentication cookies or executing malicious code on the visiting device.

But what would happen if a man-in-the-middle attacker could confuse the browser into accidentally connecting to an email server or FTP server that uses a certificate that’s compatible with the one used by the website?

The perils of speaking HTTPS to an email server

Because the domain name of the website matches the domain name in the email or FTP server certificate, the browser will, in many cases, establish a Transport Layer Security connection with one of these servers rather than the website the user intended to visit.

Because the browser is communicating in HTTPS and the email or FTP server is using SMTP, SFTP, or another protocol, the possibility exists that things might go horribly wrong—a decrypted authentication cookie could be sent to the attacker, for instance, or an attacker could execute malicious code on the visiting machine.

The scenario isn’t as farfetched as some people might think. New research, in fact, found that roughly 14.4 million webservers use a domain name that’s compatible with the cryptographic credential of either an email or FTP server belonging to the same organization. Of those sites, about 114,000 are considered exploitable because the email or FTP server uses software that’s known to be vulnerable to such attacks.

Such attacks are possible because of the failure of TLS to protect the integrity of the TCP connection itself rather than the integrity of just the server speaking HTTP, SMTP, or another Internet language. Man-in-the-middle attackers can exploit this weakness to redirect TLS traffic from the intended server and protocol to another, substitute endpoint and protocol.

“The basic principle is that an attacker can redirect traffic intended for one service to another, because TLS does not protect the IP address or port number,” Marcus Brinkmann, a researcher at Ruhr University Bochum in Germany, told me. “In the past, people have considered attacks where the MitM attacker redirects a browser to a different web server, but we are considering the case where the attacker redirects the browser from the webserver to a different application server such as FTP or email.”

Cracks in the cornerstone

Typically abbreviated as TLS, Transport Layer Security uses strong encryption to prove that an end user is connected to an authentic server belonging to a specific service (such as Google or Bank of America) and not an impostor masquerading as that service. TLS also encrypts data as it travels between an end user and a server to ensure that people who can monitor the connection can’t read or tamper with the contents. With millions of servers relying on it, TLS is a cornerstone of online security.

In a research paper published on Wednesday, Brinkmann and seven other researchers investigated the feasibility of using what they call cross-protocol attacks to bypass TLS protections. The technique involves an MitM attacker redirecting cross-origin HTTP requests to servers that communicate over SMTP, IMAP, POP3, or FTP, or another communication protocol.

The main components of the attack are (1) the client application used by the targeted end user, denoted as C; (2) the server the target intended to visit, denoted as Sint; and (3) the substitute server, a machine that connects using SMTP, FTP, or another protocol that’s different from the one serverint uses but with the same domain listed in its TLS certificate.

The researchers identified three attack methods that MitM adversaries could use to compromise the safe browsing of a target in this scenario. They are:

Upload Attack. For this attack, we assume the attacker has some ability to upload data to Ssub and retrieve it later. In an upload attack, the attacker tries to store parts of the HTTP request of the browser (specifically the Cookie header) on Ssub. This might, for example, occur if the server interprets the request as a file upload or if the server is logging incoming requests verbosely. On a successful attack, the attacker can then retrieve the content on the server independently of the connection from C to Ssub and retrieve the HTTPS session cookie.

Download Attack—Stored XSS. For this attack, we assume the attacker has some ability to prepare stored data on Ssub and download it. In a download attack, the attacker exploits benign protocol features to “download” previously stored (and specifically crafted) data from Ssub to C. This is similar to a stored XSS vulnerability. However, because a protocol different from HTTP is used, even sophisticated defense mechanisms against XSS, like the Content-Security-Policy
(CSP), can be circumvented. Very likely, Ssub will not send any CSP by itself, and large parts of the response are under the control of the attacker.

Reflection Attack—Reflected XSS. In a reflection attack, the attacker tries to trick the server Ssub into reflecting parts of C’s request in its response to C. If successful, the attacker sends malicious JavaScript within the request that gets reflected by Ssub. The client will then parse the answer from the server, which in turn can lead to the execution of JavaScript in the context of the targeted web server.

The MitM adversary can’t decrypt the TLS traffic, but there are still other things the adversary can do. Forcing the target’s browser to connect to an email or FTP server instead of the intended webserver, for instance, might cause the browser to write an authentication cookie to the FTP server. Or it could enable cross-site scripting attacks that cause the browser to download and execute malicious JavaScript hosted on the FTP or email server.

Enforcing ALPN and SNI protections

To prevent cross-protocol attacks, the researchers proposed stricter enforcement of two existing protections. The first is known as application layer protocol negotiation, a TLS extension that allows an application layer such as a browser to negotiate what protocol should be used in a secure connection. ALPN, as it’s usually abbreviated, is used to establish connections using the better-performing HTTP/2 protocol without additional round trips.

By strictly enforcing ALPN as it’s defined in the formal standard, connections created by browsers or other app layers that send the extension are not vulnerable to cross-protocol attacks.

Similarly, use of a separate TLS extension called server name indication can protect against cross-hostname attacks if it’s configured to terminate the connection when no matching host is found. “This can protect against cross-protocol attacks where the intended and substitute server have different hostnames, but also against some same-protocol attacks such as HTTPS virtual host confusion or context confusion attacks,” the researchers wrote.

The researchers are calling their cross-protocol attacks ALPACA, short for “application layer protocols allowing cross-protocol attacks.” At the moment, ALPACA doesn’t pose a major threat to most people. But the risk posed could increase as new attacks and vulnerabilities are discovered or TLS is used to protect additional communications channels.

“Overall, the attack is very situational and targets individual users,” Brinkmann said. “So, the individual risk for users is probably not very high. But over time, more and more services and protocols are protected with TLS, and more opportunities for new attacks that follow the same pattern arise. We think it’s timely and important to mitigate these issues at the standardization level before it becomes a larger problem.”

Continue Reading

Trending