Google claims it will stop tracking individual users for ads
Google says anonymized, group-based interest tracking will be good enough.
As Google’s plan to kill third-party tracking cookies ramps up, the company is answering questions about what will replace it. Many people have wondered: if Google kills cookies, won’t the company just cook up some other method for individually tracking users?
Today, Google answered that concern in a post on its “Ads & Commerce” blog, pledging it won’t come up with “any technology used for tracking individual people.” The company wrote:
We continue to get questions about whether Google will join others in the ad tech industry who plan to replace third-party cookies with alternative user-level identifiers. Today, we’re making explicit that once third-party cookies are phased out, we will not build alternate identifiers to track individuals as they browse across the web, nor will we use them in our products.
You might look at that statement and think that Google is sacrificing something or turning over a new leaf when it comes to privacy, but really, Google doesn’t need to track individuals for advertisements. Google’s cookie-tracking replacement technology, the Chrome “Privacy Sandbox,” uses group tracking, which is more in line with how advertisers think anyway.
As Google puts it in its blog post, “advertisers don’t need to track individual consumers across the web to get the performance benefits of digital advertising. Advances in aggregation, anonymization, on-device processing and other privacy-preserving technologies offer a clear path to replacing individual identifiers.” If you’re an advertiser with a phone ad, you would only ever want to show your ad to “people who care about phones.” As an advertiser, you wouldn’t really care about individuals or exact browsing history as long as you know users are open to being manipulated by your ad.
Chrome’s “Privacy Sandbox” interest tracker
The plan to kill cookies is still a bit fuzzy since none of this exists yet. But generally, Google wants to build a machine-learning-powered tracking system into Chrome that groups people into various interest groups like “classical music lovers,” rather than building individual profiles of people. Then, when it’s time to serve ads, Chrome can serve up a list of your interests and pull in relevant ads. It’s all the same ad relevance but without any personally identifying info going up to the cloud.
I think a good way of explaining this was that, before, through cookies, you would end up sending personal information and detailed browser history to various web ad servers, which could then build an ad interest file on you in the cloud. Now, Chrome will keep that detailed information locally and build an ad interest profile locally, and only the interest profile would be shipped to the advertisers for relevant ads through an open API. Again, this is all very early and only in the experimental stage right now, so there’s not an abundance of concrete detail to go into.
Google thinks this solution will be good enough to continue to make almost $150 billion in ad money per year, even if it stops tracking individuals. The new setup is also a valuable weapon in the war against government regulators, who did get a shout-out in Google’s blog post. The company wrote that while other ad agencies might build new individual user-tracking technologies, “We don’t believe these solutions will meet rising consumer expectations for privacy, nor will they stand up to rapidly evolving regulatory restrictions, and therefore aren’t a sustainable long-term investment. Instead, our web products will be powered by privacy-preserving APIs which prevent individual tracking while still delivering results for advertisers and publishers.”
Read the original article over at ArsTechnica.com.
Silver Sparrow malware infects 30,000 Macs
Silver Sparrow can even run on systems with Apple’s new M1 chip.
Security researchers have spotted a new malware operation targeting Mac devices that has silently infected almost 30,000 systems.
Named Silver Sparrow, the malware was discovered by security researchers from Red Canary and analyzed together with researchers from Malwarebytes and VMWare Carbon Black.
“According to data provided by Malwarebytes, Silver Sparrow had infected 29,139 macOS endpoints across 153 countries as of February 17, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany,” Red Canary’s Tony Lambert wrote in a report published last week.
But despite the high number of infections, details about how the malware was distributed and infected users are still scarce, and it’s unclear if Silver Sparrow was hidden inside malicious ads, pirated apps, or fake Flash updaters —the classic distribution vector for most Mac malware strains these days.
Furthermore, the purpose of this malware is also unclear, and researchers don’t know what its final goal is.
Once Silver Sparrow infects a system, the malware just waits for new commands from its operators — commands that never arrived during the time researchers analyzed it, hoping to learn more of its inner workings prior to releasing their report.
But this shouldn’t be interpreted as a failed malware strain, Red Canary warns. It may be possible that the malware is capable of detecting researchers analyzing its behavior and is simply avoiding delivering its second-stage payloads to these systems.
The large number of infected systems clearly suggests this is a very serious threat and not just some threat actor’s one-off tests.
SILVER SPARROW SUPPORTS M1 CHIPS
In addition, the malware also comes with support for infecting macOS systems running on Apple’s latest M1 chip architecture, once again confirming this is a novel and well-maintained threat.
In fact, Silver Sparrow is the second malware strain discovered that can run on M1 architectures after the first was discovered just four days before, showing exactly how cutting-edge this new threat really is.
“Though we haven’t observed Silver Sparrow delivering additional malicious payloads yet, its forward-looking M1 chip compatibility, global reach, relatively high infection rate, and operational maturity suggest the malware is a reasonably serious threat, uniquely positioned to deliver a potentially impactful payload at a moment’s notice,” Lambert warned in his report.
“Given these causes for concern, in the spirit of transparency, we wanted to share everything we know with the broader infosec industry sooner rather than later.”
The Red Canary report contains indicators of compromise, such as files and file paths created and used by the malware, which can be used to detect infected systems.
Read the original article over at ZDNet.com.
LastPass Free to force users to choose between mobile, desktop
Starting next month, LastPass will no longer allow a free account to be used on multiple types of devices (computers and mobile) at the same time.
LastPass is a password manager that allows you to synchronize and auto-fill your login credentials throughout multiple platforms, including Windows, iOS, Android, and almost all web browsers.
While LastPass offers premium subscriptions with additional features, they also provide a Free subscription with “password management with access on all your devices for free.”
Today, LastPass began emailing customers of their Free service with news that starting on March 16th, 2021, users will no longer be allowed to use the service on both mobile and computer desktops simultaneously.
Instead, users will be forced to select either a ‘Computer’ or ‘Mobile’ device platform that they wish to use the free service on. According to this email, LastPass Free users will be able to use the service on their Android and iOS mobile devices simultaneously but not on computers or vice-versa.
“We’re making changes to how LastPass Free users access LastPass across device types. LastPass offers access across two device types – Computers (including all browsers running on desktops and laptops) or Mobile Devices (including mobile phones, smart watches, and tablets).
“Starting March 16, 2021, LastPass Free will only include access on unlimited devices of one type,” announced LastPass in a support bulletin.
LastPass will automatically select the designated platform type based on the device you first log in on and after March 16th. If you login in with your phone, LastPass will automatically set your active device type to ‘Mobile.’
While LastPass users will not be able to use their devices on a different category of devices, they can use it on unlimited devices in the same category.
To prevent users from getting stuck on an unwanted platform, LastPass provides users three opportunities to change their active device type. After the third change, users will be stuck on that platform unless they upgrade to a LastPass Premium or Families account.
In addition to these new limitations, Lastpass Free users will no longer receive support via email and will only have access to the support center and the LastPass forums.
Read the original article over at BleepingComputer.com.
Bitcoin blasts past $50,000
Bitcoin surpasses $50,000 for first time as major companies jump into crypto.
Bitcoin’s price broke above $50,000 for the first time in history Tuesday, continuing its blistering rally as major companies appear to be warming to cryptocurrencies.
The world’s largest digital currency by market value rose more than 3% to an all-time high of $50,487 at about 7:30 a.m. ET, according to data from Coin Metrics. It later fell below the mark, trading 0.2% higher at a price of $48,760.
Bitcoin has gotten a boost from news of large firms like Tesla and Mastercard showing support for crypto. Tesla last week revealed it had bought $1.5 billion worth of bitcoin and plans to accept the digital coin as payment for its products, while Mastercard said it will open up its network to some digital currencies. PayPal and BNY Mellon have also made big moves to support crypto.
Tesla’s use of corporate cash to buy bitcoin sparked speculation over whether other major companies would follow suit. Uber CEO Dara Khosrowshahi told CNBC last week that the company had discussed but “quickly dismissed” the idea of buying cryptocurrency but is considering whether to accept cryptocurrencies as payment.
These developments have led many crypto investors to believe the latest bull run is different than past rallies. Bitcoin skyrocketed to nearly $20,000 in late 2017 before losing more than 80% of its value the following year. Believers say that, whereas the 2017 bubble was driven by retail speculation, the current cycle is being fueled by demand from institutional investors.
“I think bitcoin is a much more stable asset class today than it was three years ago,” Michael Saylor, CEO of enterprise software firm MicroStrategy, told CNBC’s “Street Signs Asia” program on Tuesday. “It used to be dominated by leveraged retail traders … on international markets with a lot of leverage.”
“I think that starting in March of 2020, you saw institutions start to arrive, and I think in 2021 you’re going to see that trend continue,” Saylor added. “There’re enthusiasts for cryptocurrency as a medium of exchange, … but I personally believe that the compelling use case is a store of value.”
MicroStrategy has seen its share price climb more than sevenfold since it first bought bitcoin in August. The company announced Tuesday that it will offer $600 million in convertible bonds to buy more bitcoin. There has been speculation that MicroStrategy offered a blueprint for Tesla’s bitcoin purchase after an exchange between Saylor and Elon Musk on Twitter about making “large transactions” with the cryptocurrency.
Still, skeptics see bitcoin as a speculative asset and worry it may be one of the biggest market bubbles in history. Economists like Nouriel Roubini say that bitcoin and other cryptocurrencies have no intrinsic value. And a recent Deutsche Bank survey said investors view bitcoin as the most extreme bubble in financial markets.
Read the original article over at CNBC.com.
FBI warns about using TeamViewer and Windows 7
An FBI alert sent on Tuesday warns companies about the use of out-of-date Windows 7 systems, poor account passwords, and desktop sharing software TeamViewer.
In the aftermath of the Oldsmar incident, where an unidentified attacker gained access to a water treatment plant’s network and modified chemical dosages to dangerous levels, the FBI has sent out an alert on Tuesday, raising attention to three security issues that have been seen on the plant’s network following last week’s hack.
The alert, called a Private Industry Notification, or FBI PIN, warns about the use of out-of-date Windows 7 systems, poor passwords, and desktop sharing software TeamViewer, urging private companies and federal and government organizations to review internal networks and access policies accordingly.
TEAMVIEWER CONSIDERED THE POINT OF ENTRY
The FBI PIN specifically names TeamViewer as a desktop sharing software to watch out for after the app was confirmed as the attacker’s entry point into the Oldsmar water treatment plant’s network.
According to a Reuters report, officials said the intruder connected to a computer on the Oldsmar water treatment plant’s network via TeamViewer on two occasions last Friday.
In the second one, the attacker actively took control of the operator’s mouse, moved it on screen, and made changes to sodium hydroxide (lye) levels that were being added to drinking water.
While the operator reversed the changes the hacker made almost immediately, the incident became an instant point of contention and discussion among security professionals.
Among the most common point brought up in online discussions was the use of the TeamViewer app to access resources on US critical infrastructure.
In a Motherboard report published on Tuesday, several well-known security experts criticized companies and workers who often use the software for remote work, calling it insecure and inadequate for managing sensitive resources.
While the FBI PIN alert doesn’t take a critical tone or stance against TeamViewer, the FBI would like federal and private sector organizations to take note of the app.
“Beyond its legitimate uses, TeamViewer allows cyber actors to exercise remote control over computer systems and drop files onto victim computers, making it functionally similar to Remote Access Trojans (RATs),” the FBI said.
“TeamViewer’s legitimate use, however, makes anomalous activity less suspicious to end users and system administrators compared to typical RATs.
The FBI alert doesn’t specifically tell organizations to uninstall TeamViewer or any other type of desktop sharing software but warns that TeamViewer and other similar software can be abused if attackers gain access to employee account credentials or if remote access accounts (such as those used for Windows RDP access) are secured with weak passwords.
FBI WARNS ABOUT WINDOWS 7 USE… AGAIN
In addition, the FBI alert also warns about the continued use of Windows 7, an operating system that has reached end-of-life last year, on January 14, 2020, an issue the FBI also warned US companies about last year.
This part of the warning was included because the Oldsmar water treatment plant was still using Windows 7 systems on its network, according to report from the Massachusetts government.
While there is no evidence to suggest the attackers abused Windows 7-specific bugs, the FBI says that continuing to use the old operating system is dangerous as the OS is unsupported and does not receive security updates, which currently leaves many systems exposed to attacks via newly discovered vulnerabilities.
However, a Cyberscoop report published today highlights the fact that the Oldsmar plant, along with many other US water treatment facilities are often underfunded and understaffed.
While the FBI warns against the use of Windows 7 for good reasons, many companies and US federal and state agencies might not be able to do anything about it, barring a serious financial investment into modernizing IT infrastructure from upper management, something that’s not expected anytime soon in many locations.
In these cases, the FBI recommends a series of basic security best practices as an intermediary way to mitigate threats, such as:
- Use multi-factor authentication;
- Use strong passwords to protect Remote Desktop Protocol (RDP) credentials;
- Ensureanti-virus, spam filters, and firewalls are up to date, properly configured, and secure;
- Audit network configurations and isolate computer systems that cannot be updated;
- Audit your network for systems using RDP, closing unused RDP ports, applying two-factor authentication wherever possible, and logging RDP login attempts;
- Audit logs for all remote connection protocols;
- Train users to identify and report attempts at social engineering;
- Identify and suspend access of users exhibiting unusual activity;
- Keep software updated.
Read the original article over at ZDNet.com.
5 Tips and Tricks to Optimize Mobile Device Storage Space
Smartphones are often bulging with data and running out of storage for most of us. When it happens, you need to clean data or get a new device with a larger storage space. With high-resolution photos and videos and video-streaming services taking a lot more storage than a few years ago, it is common for your smartphone to run out of storage.
Have You Ever Run Out of Storage on a Phone? — a poll done by Droid Life in 2016 reported that 50 percent of the respondents had run out of storage space on their smartphones and 21 percent of them came close to running out of space. That means 71 percent of the respondents needed more storage space.
What is the solution then? Almost a decade ago, it was easy to gain more storage space by using a microSD card as most smartphones supported microSD cards at that time. However, manufacturers have mostly stopped providing this option with a few exception brands like Samsung Galaxy. So, the question arises: what to do when you run out of space on your mobile device? Let’s find out below.
1. Opt for a cloud storage service
The easiest way to get more free space on your mobile device is to opt for a cloud storage service such as Dropbox, Google Drive, iCloud Drive, etc. Whether you opt for a free or paid cloud storage service, you can configure settings to offload photos and videos to the cloud, freeing up space on your smartphone.
Of course, the storage service’s app must support automatic backing up or offloading photos and videos to the cloud storage. For instance, Google Photos allows you to back up and sync your photos and videos. Moreover, you can delete them after they are uploaded to the cloud to gain more storage space.
Here’s how to enable the free cloud backup using Google Photos:
- Go to Settings > Back up & sync and enable it.
- After the photos and videos get backed up, you can delete them from your device through Settings > Free up device storage.
If you upload up to 16 MP photos, it is free for now. But after June 1, 2021, Google Photos will count them according to your Google account’s storage capacity, sadly.
2. Clean the device’s storage
Every digital device gets cluttered over time — especially our smartphones. That is why you must do a periodic spring-cleaning — at least every quarter if not every month. Though you can do it manually, there are apps to help you clean your device, which categorizes the used space by apps, documents, media, etc.
Most importantly, these apps list cache, junk files, and temporary data, allowing you to gain some space with just some clicks. For example, you can use Files by Google to browse files and clean up your phone. You should browse photos and videos and delete any bad, duplicate, pixelated, or unwanted media files to free up space.
Moreover, you must check the downloads folder on your device as we tend to download files, which converts to clutter over time, so delete them all.
3. Delete unused applications
According to a latest report, an average smartphone user has usually 80+ apps installed on his mobile device. However, the average person uses only 9 apps on daily basis and 30 apps on a monthly basis. That means you can remove unused apps from your device to free up storage space.
On Android, you can use Google Play Store to check all the installed apps and remove the ones you do not use. Follow the given steps:
- Open the Play Store and click Options (the hamburger icon).
- Choose My apps & games and switch to the Installed tab.
- Click an app and press the Uninstall button to remove the app.
On iOS, you can follow these steps to delete an application:
- You can touch and hold an app and tap Remove App.
- Tap Delete App and finally tap Delete to delete it.
4. Clear apps’ cache and temp
Every app downloads and/or stores data locally on your device. For example, Facebook may store login information and some cached or temporary media files. Similarly, Amazon Prime, Castbox.fm, Netflix, and most other media apps allow you to download media offline, which also utilizes the device’s storage.
Some of this data is stored under special storage categorized as “cache” while others are stored on the device directly. You can delete cache and these extra or temporary data to get more free space on your smartphone.
On Android, you can follow these steps to clear an app’s cache:
- Go to Settings > Apps & notifications > See all apps,
- Click an app and click the Storage & cache button.
- Click Clear cache to delete the app’s cache.
On iOS, you can clear Safari’s cache by following these steps:
- Go to Settings > Safari and scroll down to Privacy & Security.
- Tap Clear History and Website Data under Privacy & Security.
As for third-party apps in iOS, this option is not available for all apps. For example, Slack provides an option Reset cache on next launch under Settings > Slack. So, you need to look inside Settings for other apps.
5. Check DeX and delete files
If you are using one of the flagship Samsung Galaxy smartphones, you may know about Samsung DeX. It is a mobile-powered desktop computing platform that lets you utilize a desktop-like experience on an external display. Though it gets you a PC-like experience using your smartphone, it helps you create more data.
If you do not use Samsung DeX, you can skip to the next section. If you use it, you must check your data inside DeX by following these steps:
- Boot up DeX and check apps, files, and folders.
- Delete anything you mostly do not use or want on a regular basis. It will help you regain precious storage space.
Bonus: Limit the size of media files
With the growing usage of smartphones for shooting photos and videos, it is no wonder that the storage space is mostly utilized by media files. Nowadays, flagship smartphones are coming with cameras of hefty megapixels — going to more than 100MP. Though it gets you crisp photos, it increases their sizes too.
Similarly, advanced features like 4K resolution, HDR mode, and 60 fps options gain attraction among enthusiasts, however, these all add to the media size.
That said, you should configure your camera app to lower down these settings. You can gain decent photos and videos at 1080p resolution, 30 fps mode, and high compression ratio, and you can always change settings for special occasions.
On Android, if you are using Google Camera, you can configure this way:
- Open Google Camera and click More > Settings.
- Configure the resolution options namely Back camera photo resolution, Front camera photo resolution, Back camera video resolution, and Front camera video resolution. Maybe your camera has more such options.
On iOS, if you are using the default camera app, do the following:
- Open Settings > Camera.
- Tap Record Video or Record Slo-mo, then choose a resolution. As I told before, pick one of the options showing 1080p HD at 30 fps.
How much storage space do you really need?
It only depends on your requirements. If you hardly shoot photos and videos using your smartphone (maybe you got a DSLR camera?), you can probably do with 64 GB storage.
On the other hand, if you are a camera enthusiast, opt for a minimum 128 GB storage option. But if you are a heavy user shooting multiple photos and videos every day, you should look for a minimum 256 GB of storage space. Or you can also buy a smartphone with expandable storage using a microSD card.
That is all about the common yet handy tips and tricks to get rid of unwanted data and gain more space on your smartphone.
Read the original article over at Hongkiat.com.
Dystopia Prime: Amazon AI van cameras spark surveillance concerns
Dystopia Prime: Amazon is rolling out AI-enabled surveillance cameras in its delivery vans and drivers and privacy advocates say the company is building a massive mobile surveillance system. Although the system is billed to improve driver safety, some worry it is more about exerting control.
Amazon.com Inc’s announcement this week that it would be rolling out AI-powered cameras in its branded delivery vans for safety has drawn criticism from privacy advocates and workers concerned with being subjected to surveillance on the job.
The world’s largest e-commerce firm said the cameras, which are developed by transportation technology company Netradyne, would improve safety of both drivers and the communities in which they deliver.
But employees like Henry Search, a 22-year-old delivery driver in Washington state, said they saw cameras capturing their work day as an “invasion of privacy”.
“We are out here working all day, trying our best already,” Search told the Thomson Reuters Foundation in a phone interview. “The cameras are just another way to control us.”
Privacy advocates warned that equipping Amazon’s fleet of about 30,000 delivery vehicles with AI cameras could set a dangerous precedent for privacy.
“This appears to be the largest expansion of corporate surveillance in human history,” said Evan Greer, deputy director of tech nonprofit Fight for the Future. “If this becomes the norm, we are talking about the extinction of human privacy.”
Amazon has come under scrutiny in the past for accidents involving delivery drivers.
A company spokeswoman said in emailed comments that “this technology will provide drivers real-time alerts to help them stay safe when they are on the road.”
In an instructional video about the cameras, Amazon’s senior manager for last-mile safety Karolina Haraldsdottir said cameras will record 100% of the time, but are not set up to livestream from inside of vans.
They will detect unsafe driving, including when drivers appear distracted or drowsy, she explained, adding that the footage could be used by the company’s safety team, or in investigations of theft or accidents.
But Greer said that safety issues could be addressed by slowing the pace of work. “The first thing they (Amazon) should do to improve safety would be not have such outrageous delivery quotas that force people into unsafe conditions,” she said.
Another driver in Massachusetts, who asked not to use his name to protect his identity, said he would welcome a camera displayed outside his van to record evidence for any accident.
“But a camera on my face all the time, I don’t see how that keeps me safe – it’s too much,” he said in a phone interview, noting that drivers already use an app called Mentor that tracks the location and movements of the vehicle.
Haraldsdottir said that “only a limited set of authorized people” would have access to driver footage from the cameras.
But some drivers worried Amazon might sell or share the footage with third parties, or use the cameras to monitor their performance on the job.
“The footage recorded could be shared with a future possible employer who can then decide to reject you before even knowing you,” said one driver from Michigan who asked not to give his full name.
Although he enjoys doing deliveries for Amazon, he said he is currently looking for other work because he does not want to be subjected to surveillance.
Rights activists say Amazon already has an extensive surveillance system in its warehouses to track workers’ movements and boost productivity, including navigation software, item scanners, wristbands, thermal cameras and recorded footage.
“There are no laws in place to meaningfully limit what Amazon can do with the footage they collect,” said Greer, noting that other surveillance products, such as the Ring doorbell camera system, can share footage with police departments.
Surveillance experts say that the privacy implications of Amazon’s camera network for delivery vans extend far beyond drivers.
Andrew Ferguson, a professor of law at D.C.’s American University, said Amazon’s private surveillance networks would further entrench the snooping powers of government.
“While the inclination to use AI technology to enhance driver safety is commendable, the failure to think about the privacy and surveillance issues and equities is troubling,” he said.
While police may not have direct access to the footage, authorities will be able to access it in the course of an investigation, expanding the reach of police surveillance, Ferguson explained.
Last June, Amazon announced a one-year moratorium on police use of its facial recognition software, following criticism that the technology reinforced racial bias.
“Amazon is quite literally building mobile surveillance vans to film our neighborhoods, something that we would be rightly horrified about if our government did it,” Ferguson said. “I don’t think we want to join dystopia prime.”
GameStop? Reddit? Explaining what’s happening in the stock market.
GameStop: How WSB Beat Hedge Funds at Their Own Game. Here’s a guide to understanding what’s going on with GameStop and what the frenzy means for the stock market.
Suddenly, Wall Street can’t stop talking about GameStop, a video game retailer whose stock price is popping far beyond what most people think it’s worth.
Here’s a guide to understanding why and what the frenzy means for the stock market.
Why is everyone talking about GameStop?
The simplest answer is that its stock price has skyrocketed — by somewhere around 8,000 percent over six months. The more complex answer is that its stock has become the central game piece in a financial power struggle between a major hedge fund, Melvin Capital, and a group of amateur stock traders who yell on the internet.
Mike Novogratz, an investor and former hedge fund manager, said the internet activity is the result of frustration that everyday investors are often locked out of lucrative opportunities, such as initial public stock offerings.
“What it really feels like is the game is stacked against the little guy,” he said.
What is GameStop?
GameStop is a video game retailer. Like most stores that still sell products in person, it has had a hard time lately as video game sales have moved online and as the Covid-19 pandemic keeps people away from stores. It’s still in business, but few people expect it to grow again.
How did it end up in the middle of all this?
Like many companies that are in rough shape, GameStop was the subject of what’s called short selling, in which professional investors borrow shares of stock to sell and then buy back later so they can return them, which lets them pocket the profit if the stock price goes down. They’re basically bets that the company will fail.
GameStop was one of the most shorted of all publicly traded companies. Other companies on the list include AMC Theatres, Bed Bath & Beyond and even the mostly defunct Blockbuster. Remember those names.
And then GameStop became the source of a short squeeze.
What is a short squeeze?
For the most part, investors follow the “buy low, sell high” format when it comes to stocks. Short sellers do the opposite — they borrow and sell a stock when it’s high and bet that it will continue to fall. If that doesn’t happen and the stock price rises, short sellers are forced to cover their positions or buy more stocks — to minimize their losses.
Because short sellers — frequently hedge funds — in essence are betting against a company’s success, it can be a risky position. Any positive news or enthusiasm for the stock will push up the stock’s valuation, minimizing profit for the short seller. In the case of GameStop, chatter on massive online trading forums invigorated interest in buying the stock, pushing up the price, which in turn fueled more interest.
The speculative trading left short sellers with no more shares to buy to cover their positions, creating a short squeeze and leaving them with millions of dollars in stocks they had bought at a high price but which they then had to offload at an even higher price.
S3 Partners, a financial data company, said Wednesday that its analysis found that short sellers had lost $23.6 billion on GameStop this month.
How does the internet fit in?
The internet has been used to prognosticate about stocks for decades, but there’s never been anything quite like the Reddit community called r/wallstreetbets, also known as WSB.
WSB takes something of an internet extremist’s approach to investing. Its slogan is “Like 4chan found a Bloomberg Terminal,” alluding to the fringe message board and the Bloomberg computer system that is nearly ubiquitous in finance.
Amateur investors on WSB have discussed GameStop (which they refer to by its stock ticker abbreviation, GME) for years, but things changed early this year. As the price of the shares rose, more WSB posters jumped on board. “100% of my portfolio on GME because of you idiots,” a person posted Jan. 10. On Wednesday, the people who run WSB temporarily made the community private and said they were “experiencing technical difficulties based on unprecedented scale as a result of the newfound interest in WSB.”
There’s also Robinhood, the app that is the unofficial stock trading platform of choice for WSB. It lets people trade stocks and even more exotic investments, like options, for little or no charge.
So what if a bunch of people bought GameStop stock?
This is where things get a little complicated and a bit more unclear. Shares in GameStop ticked up on Jan. 11 after it named three people to its board of directors as part of a deal with shareholders who had been agitating for change. That caused some short sellers to abandon their positions, helping to drive the stock up more in the following days.
That only emboldened traders on WSB. “CAN’T STOP WON’T STOP GAMESTOP,” a person wrote Jan. 14, along with a clip from the movie “The Wolf of Wall Street.”
The stock traded about even for the next few days. Things really began to change starting Friday.
What happened Friday?
CNBC data show that the volume of shares traded — a closely watched indicator of activity around the stock — spiked on Friday. Increased volume can indicate a short squeeze, meaning people who had bet against the stock either chose or were forced to give up and take losses.
And while WSB had gotten some media attention in recent days for its GameStop boosterism, a boom in coverage of GameStop and WSB helped bring the story out of the financial world and more into the mainstream. The frenzy was on.
GameStop shares would go from trading at around $43 (already significantly more than it traded at at the beginning of the year) to as much as $380, becoming one of the most traded stocks on the market along the way.
Tesla CEO Elon Musk, the world’s wealthiest person, who has also publicly battled short sellers, tweeted out Tuesday, “Gamestonk!” with a link to WSB. Gamestonk is a reference to GameStop and to “stonk,” internet slang for stock.
Does this matter to ordinary investors?
Yes. For one thing, the volume of trading has strained the computer infrastructure of online brokerages, including TD Ameritrade, which said Wednesday that its mobile app was handling unprecedented volumes.
And at least on paper, ordinary investors are making money even if they’re not paying attention. BlackRock, which operates mutual funds, may have made billions of dollars from the rise in GameStop shares alone.
But the bigger and longer-lasting impact may be on how the market itself operates. Never before has a group of amateur investors taken on a hedge fund like this and won. The battle over GameStop has taken on something of a David vs. Goliath feel, with some people outside of finance painting it as a reckoning for parts of Wall Street.
“For years, the same hedge funds, private equity firms, and wealthy investors dismayed by the GameStop trades have treated the stock market like their own personal casino while everyone else pays the price,” Sen. Elizabeth Warren, D-Mass., said in a news release. “It’s long past time for the SEC and other financial regulators to wake up and do their jobs — and with a new administration and Democrats running Congress, I intend to make sure they do.”
Or, as Reddit co-founder Alexis Ohanian put it on Twitter, the GameStop squeeze is “the public doing what they feel has been done to them by institutions.”
“And it’s a perfect storm at a time when lots of people are hurting, interest rates are so low, inescapable student loan debts loom, and every major institution has caught [losses] during a /global pandemic/ over the last year. This is something to believe in,” he said.
How will the market be different after this?
There is some belief that WSB signals the arrival of a powerful new force as large numbers of retail investors find influence by acting in concert or following one another into a big trade. That may serve as a check or balance on other large forces, such as hedge funds, which are used to throwing their weight around without ordinary investors affecting a price.
“r/WallStreetBets is a top 20 Global Hedge Fund with 2.9MM followers under management at $6,200 each and not one boring research report in sight,” financial analyst Genevieve Roch-Decter said sarcastically on Twitter.
What’s the downside? Should I be worried about the market as a whole?
That’s a tough question. Right now, the speculation activity is only around a few companies, which isn’t that uncommon. But the broader concern comes when what are known as retail investors — amateurs buying stocks for their own personal gain — become overly exuberant and inflate stock prices, sometimes by taking out loans to buy shares.
And some skeptics point to the situation around GameStop and other companies as evidence that the stock market has reached a dangerous level of enthusiasm and speculation.
Massachusetts regulator William Galvin compared the situation Wednesday to the 1999 tech stock bubble. “The current pandemic has created a unique situation where many people who have gotten into day-trading really have no idea exactly what they’re doing,” he told CNBC. “They think they’re missing out if they don’t make a bet.”
How does this end?
Often, a short squeeze ends in a price’s falling back to where it was before the drama started. In 2008, when Volkswagen was in the middle of a trader tug-of-war, it briefly became the stock market’s most valued company, but its price settled down eventually.
History suggests that no stock can go up forever, and over time, stock prices generally reflect the expected future earnings of corporations. But long shots can go on for extended periods if the players have enough resources to risk. Tesla, for example, would need 1,600 years of profits to justify its current price-to-earnings ratio, according to a calculation this month.
GameStop shares may move by about 20 percent a day through March if options trades are an indication, Barron’s reported.
Is someone going to shut this down?
There’s no evidence that any of this is illegal, although Nasdaq CEO Adena Friedman has said stock exchanges and regulators need to pay attention to the potential for schemes fueled by social media.
Reddit didn’t answer questions Wednesday about whether it’s in touch with regulators, but it said it prohibits posting illegal content or facilitating illegal transactions. “We will review and cooperate with valid law enforcement investigations or actions as needed,” Reddit said in a statement.
Galvin said he believed federal regulators would take some action. White House press secretary Jen Psaki said Wednesday that the Biden administration’s economic team was “monitoring the situation” around trading in GameStop.
Why am I hearing about AMC Theatres stock, too?
Remember how we said AMC Theatres is one of the other companies that has been targeted by short sellers? Well, WSB and now other amateur investors are going after those short positions, hoping to induce a similar short squeeze.
AMC shares were up by 265 percent Wednesday.
And the enthusiasm was still spreading to other well-known consumer brands. Bed Bath & Beyond shares were up by 176 percent Wednesday from the start of the year, while Tootsie Roll Industries, the candymaker known for iconic 20th century commercials, was up by 41 percent since Jan. 1.
There may even be a new term for such internet darlings: meme stocks.
Read the original article over at NBCNews.com.
Edge and Chrome want to help with that password problem of yours.
Password Managers and the line between them is blurring.
If you’re like lots of people, someone has probably nagged you to use a password manager and you still haven’t heeded the advice. Now, Chrome and Edge are coming to the rescue with beefed-up password management built directly into the browsers.
Microsoft on Thursday announced a new password generator for the recently released Edge 88. People can use the generator when signing up for a new account or when changing an existing password. The generator provides a drop-down in the password field. Clicking on the candidate selects it as a password and saves it to a password manager built into the browser. People can then have the password pushed to their other devices using the Edge password sync feature.
As I’ve explained for years, the same things that make passwords memorable and easy to use are the same things that make them easy for others to guess. Password generators are among the safest sources of strong passwords. Rather than having to think up a password that’s truly unique and hard to guess, users can instead have a generator do it properly.
“Microsoft Edge offers a built-in strong password generator that you can use when signing up for a new account or when changing an existing password,” members of Microsoft’s Edge team wrote. “Just look for the browser-suggested password drop down in the password field and when selected, it will automatically save to the browser and sync across devices for easy future use.”
Edge 88 is also rolling out a feature called the “password monitor.” As the name suggests, it monitors saved passwords to make sure none of them are included in lists compiled from website compromises or phishing attacks. When turned on, the password monitor will alert users when a password matches lists published online.
Checking passwords in a secure way is a difficult task. The browser needs to be able to check a password against a large, always-changing list without sending sensitive information to Microsoft or information that could be sniffed by someone monitoring the connection between the user and Microsoft.
In an accompanying post also published Thursday, Microsoft explained how that’s done:
Homomorphic encryption is a relatively new cryptographic primitive that allows computing on encrypted data without decrypting the data first. For example, suppose we are given two ciphertexts, one encrypting 5 and the other encrypting 7. Normally, it does not make sense to “add” these ciphertexts together. However, if these ciphertexts are encrypted using homomorphic encryption, then there is a public operation that “adds” these ciphertexts and returns an encryption of 12, the sum of 5 and 7.
First, the client communicates with the server to obtain a hash H of the credential, where H denotes a hash function that only the server knows. This is possible using a cryptographic primitive known as an Oblivious Pseudo-Random Function (OPRF). Since only the server knows the hash function H, the client is prevented from performing an efficient dictionary attack on the server, a type of brute force attack that uses a large combination of possibilities to determine a password. The client then uses homomorphic encryption to encrypt H(k) and send the resulting ciphertext Enc(H(k)) to the server. The server then evaluates a matching function on the encrypted credential, obtaining a result (True or False) encrypted under the same client key. The matching function operation looks like this: computeMatch(Enc(k), D). The server forwards the encrypted result to the client, who decrypts it and obtains the result.
In the above framework, the main challenge is to minimize the complexity of the computeMatch function to obtain good performance when this function is evaluated on encrypted data. We utilized many optimizations to achieve performance that scales to users’ needs.
Not to be outdone, members of the Google Chrome team this week unveiled password protections of their own. Chief among them is a fuller-featured password manager that’s built into the browser.
“Chrome can already prompt you to update your saved passwords when you log in to websites,” Chrome team members wrote. “However, you may want to update multiple usernames and passwords easily, in one convenient place. That’s why starting in Chrome 88, you can manage all of your passwords even faster and easier in Chrome Settings on desktop and iOS (Chrome’s Android app will be getting this feature soon, too).”
Chrome 88 is also making it easier to check if any saved passwords have wound up on password dumps. While password auditing came to Chrome last year, the feature can now be accessed using a security check similar to the one shown below:
Many people are more comfortable using a dedicated password manager because they offer more capabilities than those baked into their browser. Most dedicated managers, for instance, make it easy to use dice words in a secure way. With the line between browsers and password managers beginning to blur, it’s likely only a matter of time until browsers offer more advanced management capabilities.
Read the original article over at ArsTechnica.com.
Hacker blunder leaves stolen passwords exposed via Google search.
Phishing blunder scam left thousands of stolen passwords exposed through Google search A mistake on the part of the cyberattackers led to their discovery — and that of the data they pillaged.
Hackers hitting thousands of organizations worldwide in a massive phishing campaign forgot to protect their loot and let Google the stolen passwords for public searches.
The phishing campaign has been running for more than half a year and uses dozens of domains that host the phishing pages. It received constant updates to make the fraudulent Microsoft Office 365 login requests look more realistic.
Creds in plain sight
Despite relying on simple techniques, the campaign has been successful in bypassing email protection filters and collected at least 1,000 login credentials for corporate Office 365 accounts.
Researchers at cybersecurity companies Check Point and Otorio analyzing this campaign discovered that the hackers exposed the stolen credentials to the public internet.
In a report published today, they explain that the attackers exfiltrated the information to domains they had registered specifically for the task. Their mistake was that they put the data in a publicly visible file that Google indexed.
As a result, Google could show results for queries of a stolen email address or password, as seen in the screenshot below:
Researchers at the two cybersecurity companies say that the attackers also compromised legitimate WordPress servers to host the malicious PHP page delivered to victims.
“Attackers usually prefer to use compromised servers instead of their own infrastructure because of the existing websites’ well-known reputations,” the researchers explain.
Processing information from about 500 entries, the researchers could determine that companies in the construction, energy, and IT sectors were the most prevalent targets of these phishing attacks.
Simple, effective phishing
The attackers used several phishing email themes to lure potential victims into loading the landing page that collected their Microsoft Office 365 username and password.
The malicious emails had the target’s first name or company title in the subject line and purported to deliver a Xerox scan notification in HTML format.
Opening the attachment loaded in the default web browser a blurred image overlaid by a fake Microsoft Office 365 login form. The username field is already populated with the victim’s email address, which typically removes suspicion of login theft.
To keep the campaign undetected, the actor used compromised email accounts to distribute the fraudulent messages. For one attack, they impersonated the German hosting provider IONOS by 1&1.
Although this campaign started in August, the researchers found phishing emails from the same threat actor that dated from May 2020.
While Google indexing hackers’ pages where they save stolen data is not a first, it shows that not all malicious actors are sufficiently skilled to protect their operations. Even if they are not identified, at least their actions can be thwarted.
Read the original article over at BleepingComputer.com.