Connect with us

Biz & IT

Huawei responds to Android ban with service and security guarantees, but its future is unclear



Huawei has finally gone on the record about a ban on its use of Android, but the company’s long-term strategy on mobile still remains unclear.

In an effort to appease its worried customer base, the embattled Chinese company said today that it will continue to provide security updates and after-sales support to its existing lineup of smartphones, but it’s what the company didn’t say that will spark concerns.

Huawei was unable to make guarantees about whether existing customers will continue to receive Android software updates, while its statement is bereft of any mention of whether future phones will ship with the current flavor of Android or something else.

The company, which is the world’s second largest smartphone vendor based on shipments, said it will continue to develop a safe software ecosystem for its customers across the globe. Huawei will also extend the support to Honor, a brand of smartphones it owns. Nearly 50 percent of all of Huawei’s sales comes from outside China, research firm Counterpoint told TechCrunch.

Here’s the statement in full:

Huawei has made substantial contributions to the development and growth of Android around the world. As one of Android’s key global partners, we have worked closely with their open-source platform to develop an ecosystem that has benefitted both users and the industry,

Huawei will continue to provide security updates and after sales services to all existing Huawei and Honor smartphone and tablet products covering those have been sold or still in stock globally. We will continue to build a safe and sustainable software ecosystem, in order to provide the best experience for all users globally.

In addition, the company said it plans to launch the Honor 20 as planned. The device is set to be unveiled at an event in London tomorrow. While Honor is a sub-brand, any sanctions levied on Huawei will likely be reflected in its business, too.

Huawei’s lukewarm response isn’t unexpected. Earlier, Google issued a similarly non-committal statement that indicated that owners of Huawei phones will continue to be able to access the Google Play Store and Google Play Protect, but — like the Chinese firm — it made no mention of the future, and that really is the key question.

Indeed, sources within both Google and Huawei have told TechCrunch that the immediate plan of action for what happens next remains unclear.

It could turn out that Huawei is forced to use the open source version of Android, AOSP, which comes stripped of Google Mobile Services, a suite for Google services such as Google Play Store, Gmail, and YouTube. That’s unless it doesn’t plump for its own homespun alternative, which media reports have claimed it has built in the case of an emergency situation.

Huawei’s response comes a day after Reuters reported that Google had suspended some of its businesses with the Chinese technology giant. The Android-maker is complying with a U.S. Commerce Department’s directive that placed Huawei and 70 of its affiliates on an “entity list” that requires any U.S. company to gain government approval before doing business with the Chinese tech company.

In the meantime, the troubles are mounting for Huawei. In addition to Android, the U.S. government’s move has seen Intel, Qualcomm, Xilinx, and Broadcom reportedly pause supplying chips to Huawei until a resolution has been reached.

Source link

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Biz & IT

Securing your digital life, part one: The basics



Enlarge / Artist’s impression of how to keep your digital stuff safe from all kinds of threats.

Aurich Lawson | Getty Images

I spend most of my time these days investigating the uglier side of digital life—examining the techniques, tools, and practices of cyber criminals to help people better defend against them. It’s not entirely different from my days at Ars Technica, but it has given me a greater appreciation for just how hard it is for normal folks to stay “safe” digitally.

Even those who consider themselves well educated about cyber crime and security threats—and who do everything they’ve been taught to do—can (and do!) still end up as victims. The truth is that, with enough time, resources, and skill, everything can be hacked.

The key to protecting your digital life is to make it as expensive and impractical as possible for someone bent on mischief to steal the things most important to your safety, financial security, and privacy. If attackers find it too difficult or expensive to get your stuff, there’s a good chance they’ll simply move on to an easier target. For that reason, it’s important to assess the ways that vital information can be stolen or leaked—and understand the limits to protecting that information.

Did you really think we were going to be able to get through a cybersecurity article without at least one guy-in-a-ski-mask-with-a-laptop stock photo?
Enlarge / Did you really think we were going to be able to get through a cybersecurity article without at least one guy-in-a-ski-mask-with-a-laptop stock photo?

Pinopic / Getty Images

In part one of our guide to securing your digital life, we’ll talk briefly about that process and about basic measures anyone can take to reduce risks to their devices. In part two, coming in a few days, we’ll address wider digital identity protection measures, along with some special measures for people who may face elevated risks. But if you’re looking for tips about peanut butter sandwich dead drops to anonymously transfer data cards in exchange for cryptocurrency payments… we can’t help you, sorry.

You are not Batman

A while back, we covered threat modeling—a practice that encompasses some of what is described above. One of the most important aspects of threat modeling is defining your acceptable level of risk.

We make risk-level assessments all the time, perhaps unconsciously—like judging whether it’s safe to cross the street. To totally remove the threat of being hit by a car, you’d either have to build a tunnel under or a bridge over the street, or you could completely ban cars. Such measures are overkill for a single person crossing the street when traffic is light, but they might be an appropriate risk mitigation when lots of people need to cross a street—or if the street is essentially a pedestrian mall.

This guy isn't actually Batman, either, but he's a lot closer to being Batman than we are. (This is cosplayer Auri Aminpour next to his Batmobile. Wicked!)
Enlarge / This guy isn’t actually Batman, either, but he’s a lot closer to being Batman than we are. (This is cosplayer Auri Aminpour next to his Batmobile. Wicked!)

The same goes for modeling the threats in your digital life. Unless you are Batman—with vast reserves of resources, a secret identity to protect from criminals and all but a select few members of law enforcement, and life-or-death consequences if your information gets exposed—you do not need Batman-esque security measures. (There are certainly times when you need additional security even if you’re not Batman, however; we’ll go into those special circumstances in the second half of this guide.)

For those who want to lock things down without going offline and moving to a bunker in New Zealand, the first step is to assess the following things:

  • What in my digital life can give away critical information tied to my finances, privacy, and safety?
  • What can I do to minimize those risks?
  • How much risk reduction effort is proportional to the risks I face?
  • How much effort can I actually afford?

Reducing your personal attack surface

The first question above is all about taking inventory of the bits of your digital life that could be exploited by a criminal (or an unscrupulous company, employer, or the like) for profit at your expense or could put you in a vulnerable position. A sample list might include your phone and other mobile devices, personal computer, home network, social media accounts, online banking and financial accounts, and your physical identification and credit cards. We’re going to cover the first few here; more will be covered in part two.

Each of these items offers an “attack surface”—an opportunity for someone to exploit that component to get to your personal data. Just how much of an attack surface you present depends on many factors, but you can significantly reduce opportunities for malicious exploitation of these things with some basic countermeasures.

Physical mobile threats

Smart phones and tablets carry a significant portion of our digital identities. They also have a habit of falling out of our direct physical control by being lost, stolen, or idly picked up by others while we’re not attending to them.

Defending against casual attempts to get at personal data on a smart phone (as opposed to attempts by law enforcement, sophisticated criminals, or state actors) is fairly straightforward.

First, if you’re not at home, you should always lock your device before you put it down, no exceptions. Your phone should be locked with the most secure method you’re comfortable with—as long as it’s not a 4-digit PIN, which isn’t exactly useless but is definitely adjacent to uselessness. For better security, use a password or a passcode that’s at least six characters long—and preferably longer. If you’re using facial recognition or a fingerprint unlock on your phone, this shouldn’t be too inconvenient.

Artist's impression of a person who has hacked a mobile phone. (In reality, phones don't actually say "HACKED!" to alert you that you've been hacked. Things would be a lot easier if they did.)
Enlarge / Artist’s impression of a person who has hacked a mobile phone. (In reality, phones don’t actually say “HACKED!” to alert you that you’ve been hacked. Things would be a lot easier if they did.)

D-Keine / Getty Images

Second, set your device to require a password immediately after it’s been locked. Delays mean someone who snatches your phone can get to your data if they bring up the screen in time. Additionally, make sure your device is set to erase its contents after 10 bad password attempts at maximum. This is especially important if you haven’t set a longer passcode.

Also, regularly back up your phone. The safest way to back up data if you’re concerned about privacy is an encrypted backup to your personal computer; however, most iOS device owners can back up their data to iCloud with confidence that it is end-to-end encrypted (as long as they have iOS 13 or later). Your mileage will vary with different Android implementations and backup apps.

Along the same lines, make sure you have installed the most recent version of the phone OS available to prevent someone from taking advantage of known security bypasses. For iOS, this is generally simple—when your device prompts you to upgrade, do it. The upgrade situation on Android is somewhat more complicated, but the same general advice holds true: upgrade ASAP, every time. (There is a school of thought that says you should hold off on the latest upgrades in order for bugs to be worked out, but adhering to that advice will put you in a position where your device might have exploitable vulnerabilities. You can mitigate those vulnerabilities by upgrading.)

Continue Reading

Biz & IT

More than 100,000 people have had their eyes scanned for free cryptocurrency



Enlarge / People in Chile with Worldcoin’s “Orb” iris scanner.


More than 100,000 people have had their eyes scanned in return for a cryptocurrency called Worldcoin, as a project to distribute digital money more widely around the world accelerates.

Worldcoin has distributed about 30 iris-scanning hardware devices, which they call “orbs,” to early users on four continents, who get rewards for signing up more people. Orbs take photos of a user’s eyeballs, creating a unique code that can be used to claim free digital tokens.

The project’s developers said on Thursday they planned to release hundreds of orbs in the coming months and eventually distribute 4,000 devices per month. The team plans to debut the cryptocurrency network early next year and begin giving away the tokens at that time. They have not said how much cryptocurrency users can expect to receive.

Worldcoin amounts to one of the most ambitious and complex attempts to hand out cryptocurrency to the world’s population, similar to the economic concept of universal basic income. The project has already faced feverish criticism, and its own developers admit the “outcome is uncertain.”

Alex Blania, the cofounder of Worldcoin, denied that the project would invade people’s privacy, saying that the orbs convert iris scans into unique strings of letters and numbers before permanently deleting the images.

The resulting code would simply be used to check whether a user has already claimed a share of the Worldcoin tokens.

“Even if I would have your iris code in one form or another, I would have no chance to find out who you actually are on the blockchain,” Blania said, referring to the digital ledgers that underpin cryptocurrencies. Worldcoin is built on the ethereum blockchain.

Blania said about 130,000 people had signed up for the project so far, and the token would be valuable as a technology that can be used for new financial applications.

The team behind Worldcoin has raised $25 million in venture capital, including a round of funding led by Andreessen Horowitz that valued the company, Tools for Humanity, at $1 billion.

Sam Altman, a former president of the Y Combinator start-up accelerator, is also an investor and co-founder of the project. Altman has been a vocal proponent of universal basic income, the concept of providing people with free money on a regular basis.

Worldcoin plans to issue 10 billion tokens in total, with 80 percent going to users, 10 percent to the company’s investors and another 10 percent to a foundation for manufacturing the orbs and developing the network.

Blania said co-founders and employees will receive a portion of the foundation’s tokens, declining to provide an exact figure. A Worldcoin spokesperson said the company planned to set up the foundation before the network’s debut.

Like many cryptocurrency projects, Worldcoin’s tokens are not backed by any hard assets and could fluctuate in value based on their popularity.

Worldcoin estimated it could reach more than 1 billion people within the first two years of the network’s operation, assuming people continue signing up at current rates and the team meets its orb distribution targets.

People who sign up for Worldcoin will receive their full allotment of tokens over time through a pre-planned vesting schedule, which Blania said was still in development.

Blania said the rate at which Worldcoin is distributed would ultimately depend on the design of the vesting schedule and the pace of user sign-ups.

Worldcoin has so far distributed orbs to 12 countries in Africa, South America, Europe and Asia. The most productive orb owner has signed up more than 10,000 people in Chile by hiring 20 people who work in shifts, the company said.

© 2021 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way.

Continue Reading

Biz & IT

How hackers hijacked thousands of high-profile YouTube accounts



Future Publishing | Getty Images

Since at least 2019, hackers have been hijacking high-profile YouTube channels. Sometimes they broadcast cryptocurrency scams, sometimes they simply auction off access to the account. Now, Google has detailed the technique that hackers-for-hire used to compromise thousands of YouTube creators in just the past couple of years.

Cryptocurrency scams and account takeovers themselves aren’t a rarity; look no further than last fall’s Twitter hack for an example of that chaos at scale. But the sustained assault against YouTube accounts stands out both for its breadth and for the methods the hackers used, and an old maneuver that’s nonetheless incredibly tricky to defend against.

It all starts with a phish. Attackers send YouTube creators an email that appears to be from a real service—like a VPN, photo editing app, or antivirus offering—and offer to collaborate. They propose a standard promotional arrangement: Show our product to your viewers and we’ll pay you a fee. It’s the kind of transaction that happens every day for YouTube’s luminaries, a bustling industry of influencer payouts.

Clicking the link to download the product, though, takes the creator to a malware landing site instead of the real deal. In some cases the hackers impersonated known quantities like Cisco VPN and Steam games, or pretended to be media outlets focused on COVID-19. Google says it has found over 1,000 domains to date that were purpose-built for infecting unwitting YouTubers. And that only hints at the scale. The company also found 15,000 email accounts associated with the attackers behind the scheme. The attacks don’t appear to have been the work of a single entity; rather, Google says, various hackers advertised account takeover services on Russian-language forums.

Once a YouTuber inadvertently downloads the malicious software, it grabs specific cookies from their browser. These “session cookies” confirm that the user has successfully logged in to their account. A hacker can upload those stolen cookies to a malicious server, letting them pose as the already authenticated victim. Session cookies are especially valuable to attackers because they eliminate the need to go through any part of the login process. Who needs credentials to sneak into the Death Star detention center when you can just borrow a stormtrooper’s armor?

“Additional security mechanisms like two-factor authentication can present considerable obstacles to attackers,” says Jason Polakis, a computer scientist at the University of Illinois, Chicago, who studies cookie theft techniques. “That renders browser cookies an extremely valuable resource for them, as they can avoid the additional security checks and defenses that are triggered during the login process.”

Such “pass-the-cookie” techniques have been around for more than a decade, but they’re still effective. In these campaigns, Google says it observed hackers using about a dozen different off-the-shelf and open source malware tools to steal browser cookies from victims’ devices. Many of these hacking tools could also steal passwords.

“Account hijacking attacks remain a rampant threat, because attackers can leverage compromised accounts in a plethora of ways,” Polakis says. “Attackers can use compromised email accounts to propagate scams and phishing campaigns or can even use stolen session cookies to drain the funds from a victim’s financial accounts.”

Google wouldn’t confirm which specific incidents were tied to the cookie-theft spree. But a notable surge in takeovers occurred in August 2020, when hackers hijacked multiple accounts with hundreds of thousands of followers and changed the channel names to variations on “Elon Musk” or “Space X,” then livestreamed bitcoin giveaway scams. It’s unclear how much revenue any of them generated, but presumably these attacks have been at least moderately successful given how pervasive they became.

This type of YouTube account takeover ramped up in 2019 and 2020, and Google says it convened a number of its security teams to address the issue. Since May 2021 the company says it has caught 99.6 percent of these phishing emails on Gmail, with 1.6 million messages and 2,400 malicious files blocked, 62,000 phishing page warnings displayed, and 4,000 successful account restorations. Now Google researchers have observed attackers transitioning to targeting creators who use email providers other than Gmail—like,,, and—as a way of avoiding Google’s phishing detection. Attackers have also started trying to redirect their targets over to WhatsApp, Telegram, Discord, or other messaging apps to keep out of sight.

“A large number of hijacked channels were rebranded for cryptocurrency scam live-streaming,” Google TAG explains in a blog post. “The channel name, profile picture and content were all replaced with cryptocurrency branding to impersonate large tech or cryptocurrency exchange firms. The attacker live-streamed videos promising cryptocurrency giveaways in exchange for an initial contribution.”

Though two-factor authentication can’t stop these malware-based cookie thefts, it’s an important protection for other types of scams and phishing. Beginning on November 1, Google will require YouTube creators who monetize their channels to turn on two-factor for the Google account associated with their YouTube Studio or YouTube Studio Content Manager. It’s also important to heed Google’s “Safe Browsing” warnings about potentially malicious pages. And as always, be careful what you click and which attachments you download from your email.

The advice for YouTube viewers is even simpler: If your favorite channel is pushing a cryptocurrency deal that seems too good to be true, give it some Dramatic Chipmunk side eye and move on.

This story originally appeared on

Continue Reading