‘Life-Changing Conversation’ With Eric Schmidt Led to $5 Raspberry Pi Zero

If you are amazed by the Raspberry Pi Zero, a credit-card sized computer that is priced at an enticing $5 (roughly Rs. 320), you may want to thank Eric Schmidt for it. Former Google CEO and current executive chairman of Alphabet played a key role in the development of the cheap mini-computer.

Raspberry Pi Foundation founder Eben Upton told WSJ in an interview that it was Schmidt who suggested him that Raspberry Foundation should make a cheaper variant of its miniature computer instead.

The conversation, according to Upton, took place in 2013 when Google was granting Raspberry Pi Foundation a sum of $1 million to distribute its first device to school children. During the occasion, Schmidt had asked Upton about the organisation’s plan for the upcoming months. At the time, as Upton said, the organisation had plans to build a more powerful version of the Raspberry Pi, which would be priced somewhere around $50 (roughly Rs. 3,300) to $60 (roughly Rs. 4,000). Schmidt told Upton that it would be a wrong move to manufacture a higher priced computer.

“I told him we were thinking of making future Raspberry Pi’s a little bit more expensive, up at about $50 or $60, and a bit more powerful,” Upton told WSJ. “He said it was very hard to compete with cheap. He made a very compelling case. It was a life-changing conversation,”

The suggestion, Upton noted, compelled him to change his original strategy. “The idea was to make a more powerful thing at the same price, and then make a cheaper thing with the same power.”

Once completely nascent, the market of miniature computers has grown mature and crowded over the years with big players such as Intel and Asus now also offering mini computers.

US Retailers Hunt for Attacks After Warning on Stealthy Malware

fuji_laptop_cyber_ndtv.jpg

US retailers are hunting for evidence of new breaches leading into the holiday shopping season after a cyber intelligence firm privately warned them about payment-card-stealing malware that it said evades almost all security software.

“This is by far the most sophisticated point-of-sale malware seen to date,” said Maria Noboa, lead technical analyst for privately held iSight Partners, which uncovered the malware and was due to release a technical report about it on Tuesday.

The firm had shared information about the malware, dubbed ModPOS, with clients in October, and briefed dozens of companies, including retailers, hospitality companies and payment-card processors, about its dangers.

Retailers began hunting for the malware in the approach to this week’s unofficial launch of the holiday shopping season, the busiest time of the year for most merchants, according to the Retail Cyber Intelligence Sharing Center (R-CISC), an industry group set up this year to fight hackers.

Retailers have been fending off increasingly sophisticated payment-card theft schemes for more than a decade. The biggest breaches to date include a notorious 2013 holiday-shopping-season attack onTarget Corp and a major breach at Home Depot Inc, each of which compromised tens of millions of payment card numbers.

ISight declined to say how it uncovered the ModPOS threat or name any targeted retailers.

Some retailers have found digital evidence that linked threat indicators they had previously seen to ModPOS, though that does not necessarily mean they were victims of breaches, said Wendy Nather, director of research for R-CISC.

“I couldn’t tell you who is most likely to be compromised by this,” Nather said. “But if it were harmless, we wouldn’t even be talking about it.”

Her group, which was set up this year, has approximately 50 members including Gap Inc, J.C. Penney Co, Lowe’s Co and Walgreens.

ISight said it first identified the malware late last year, but only came to understand its sophistication in recent months after breaking encryption that hid how the malware works.

ModPOS includes modules for “scraping” payment-card numbers from the memory of point-of-sale systems, logging keystrokes of computer users and transmitting stolen data, according to iSight.

NSA Says How Often, Not When, It Discloses Software Flaws

The US National Security Agency, seeking to rebut accusations that it hoards information about vulnerabilities in computer software, thereby leaving US companies open to cyber-attacks, said last week that it tells US technology firms about the most serious flaws it finds more than 90 percent of the time.

The re-assurances may be misleading, because the NSA often uses the vulnerabilities to make its owncyber-attacks first, according to current and former US government officials. Only then does NSA disclose them to technology vendors so that they can fix the problems and ship updated programs to customers, the officials said.

At issue is the US policy on so-called “zero-days,” the serious software flaws that are of great value to both hackers and spies because no one knows about them. The term zero-day comes from the amount of warning users get to patch their machines protectively; a two-day flaw is less dangerous because it emerges two days after a patch is available.

The best-known use of zero-days was in Stuxnet, the attack virus developed by the NSA and its Israeli counterpart to infiltrate the Iranian nuclear programme and sabotage centrifuges that were enriching uranium.

Before its discovery in 2010, Stuxnet took advantage of previously unknown flaws in software from Microsoft Corp and Siemens AG to penetrate the facilities without triggering security programs.

A shadowy but robust market has developed for the buying and selling of zero-days, and as Reutersreported in May 2013, the NSA is the world’s top buyer of the flaws. The NSA also discovers flaws through its own cyber programs, using some to break into computer and telecommunications systems overseas as part of its primary spying mission.

Some zero-days are worth more than others, depending on such factors as the difficulty in finding them and how widespread the targeted software is. While some can be bought for as little as $50,000, a prominent zero-day broker said this week that he had agreed to pay $1 million to a team that devised a way to break into a fully updated Apple iPhone. Chaouki Bekrar, of the firm Zerodium, told Reuters the iPhone technique would “likely be sold to US customers only,” including government agencies and “very big corporations.”

Government officials say there is a natural tension as to whether zero-days should be used for offensive operations or disclosed to tech companies and their customers for defensive purposes.

In the wake of revelations by former NSA contractor Edward Snowden and a Reuters report that detailed how the government paid security firm RSA to include NSA-tainted encryption in its software, a White House review panel recommended tilting government policy more towards defence.

President Barack Obama’s cyber-security coordinator, Michael Daniel, then said he had “reinvigorated” the review process that decides what to do about each flaw that comes to government attention. The details of that process remain classified, but interviews show that the changes sharply elevated the role of the Department of Homeland Security, which is responsible for defence and had not previously been at the centre of inter-governmental debates on the issue.

After Daniel described the revamped process broadly, the activist Electronic Frontier Foundation sued for documents about it under the Freedom of Information Act.

The most significant release in that case came in September, with an undated and partly redacted 13-page memo outlining how agencies should handle knowledge about software vulnerabilities. Thememo states that the NSA’s defensive arm, the Information Assurance Directorate, served as the executive secretariat for the process.

Homeland security
A redacted portion of the memo lists the agencies that participated in the process as a matter of course. An unredacted part refers to other agencies that can ask to participate on a case-by-case basis, and the Department of Homeland Security appears in that section, along with the departments of State, Justice, Treasury and Commerce.

Two former White House officials said that the memo referred to the old system, before Daniel reorganized it about a year and a half ago.

In an interview, Daniel told Reuters that DHS was a key part of the new system, which is run by the White House’s National Security Council.

“DHS is at the table in the process I’m running,” Daniel said.

An NSA spokeswoman referred questions about its policy to the NSC, where a spokesman referred Reuters back to the NSA.

The NSA says on its website that it understands the need to use most flaws for defence.

“In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest,” according to the website.

“But there are legitimate pros and cons to the decision to disclose vulnerabilities, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences.

“Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial foreign intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or discover even more dangerous vulnerabilities that are being used to exploit our networks.”

The agency said: “Historically, NSA has released more than 91 percent of vulnerabilities discovered in products that have gone through our internal review process and that are made or used in the US”

It said the rest included some that had already been fixed as well as those held back “for national security reasons.”

One former White House official noted that the NSA did not say when the disclosures were made, adding that it would be “a reasonable assumption” to conclude that much of that 91% covers flaws the NSA had already used to gather intelligence before alerting the companies. He also said the figure includes those bought from outside entities. NSA and NSC officials declined to address those assertions.

It is anyone’s guess how long the average gap is between offensive use and defensive disclosure, said Denelle Dixon-Thayer, chief legal and business officer of Firefox browser maker the Mozilla Foundation.

The bigger that gap is, the greater the likelihood that other countries or hackers using similar hunting techniques have also discovered it. Even if they haven’t, the target of a US cyber-attack can detect what technique was used and repurpose it against the US and others.

“If it’s disclosed after it’s already been executed against, that’s a really important question,” Dixon-Thayer said.

In the revamped US evaluation process, another former official said that the Department of Homeland Security is often the most vigorous “dove” in the discussions, arguing for disclosures before others find the same flaw and exploit it.

A current official administration official said that the proportion of serious flaws disclosed to vendors did not jump after the NSC took control of the process. “It’s still early, but the trend has not significantly changed,” the official said.

The growing discussion about US policy on vulnerability disclosure comes as House and Senate leaders prepare to fine-tune three related bills on cyber-security information-sharing, which are designed to give companies legal protection for reporting attacks to the government.

Mozilla and many other technology companies oppose those bills because they will give the government more information about customers and attacks without requiring the government to give more information to the companies.

Dixon-Thayer said officials could even take what they learn about new techniques from the industry to launch their own attacks instead of helping defenders.

Karnataka Becomes the First Indian State to Have a Startup Policy

Karnataka has become the first Indian state to have a startup policy with the cabinet clearing it, state Information Technology and Bio-Technology minister S.R.Patil said on Friday.

“Karnataka is the first state in India to come up with a Startup Policy. It will have a timeframe of five years from 2015-2020,” said Patil at the Bangalore ITE.biz 2015 curtain raiser, adding the cabinet approval was accorded on Thursday.

Principal Secretary, IT and BT, V. Manjula said that the policy entails setting up incubators in post graduate colleges, collaboration between R & D institutions and industry and technical business incubators in higher learning institutions among others.

“The operational guidelines and the finer aspects of the Startup policy and the quantum of money for the Startup fund are yet to be made. They will be drafted soon,” he said, adding funds will be released to colleges which will be given a handholding for three years and there will also be a Startup Policy review committee headed by the chief secretary.

Establishment of a Startup cell in KBITS and funding promising early stage startups are also the features of the new policy.

Meanwhile, Karnataka government’s premier IT event Bangalore ITE.biz 2015 has severed its ties with CeBIT and is going independent from December 8-10 with the theme “Fuelling growth through disruptive innovation”.

“Bangalore ITE.biz 2015 is coming up with a renewed vigour this year… Last year in CeBIT 2014, we missed the Karnataka flavor,” said Software Technology Parks of India (STPI) director P.K. Das.

First started in 1998, the event will features 100 plus exhibitors, 110 speakers, 1,000 delegates, 5,000 visitors and eight Young Entrepreneurs Startups in Soaring Spirits (YESS) presenters.

“Various government stakeholders will throw up challenges being faced by them in a hackathon to produce solutions in Bangalore ITE.biz 2015,” added Manjula.

Co-host STPI will confer IT export awards wherein big companies will be recognized as “Pride of Karnataka”, added Das.

Emphasising Karnataka’s robust IT industry, Patil said: “In 2014-15, exports from Katanataka IT companies crossed Rs. 2 lakh crore, and we aim to touch four lakh crore in 2020. The industry generates direct and indirect employment for 40 lakh people.”

Infosys co-founder and Karnataka IT Vision Committee head Kris Gopalakrishnan said every Banaglore ITE.biz is different and should be relevant to the industry requirement and align with the evolving industry.

Google Slams Symantec for Issuing Fake Web Certificates, Demands Answers

Google is demanding that Symantec must conduct an assessment to ensure it is still eligible to run a certificate authority. The search giant’s scathing statement comes after the security firm was found to have issued a large number of fake digital certificates.

In mid-September, upon Google’s notification, Symantec revealed that its Thawte certificate authority (CA) issued an Extended Validation (EV) pre-certificate for several domains including Google’s and Opera’s. A total of 23 certificates were issued without the domain owners’ knowledge. At the time, Symantec said that these certificates were only created for testing purposes, and were accidentally issued. Google found these domains in its Certificate Transparency system logs.

Following this discovery, Google asked Symantec to conduct a full audit. Upon investigation, Symantec reported an additional 164 bogus certificates spanning 76 domains, and an additional 2,400 test certificates for unregistered domains. The practice of issuing certificates for unregistered domains has been prohibited since April 2014.

In September, the security firm also fired a number of its employees for errors in issuing certificates. The company had said that “employee error” caused cryptographic certificates to be issued online.

The fake certificates, according to Google, make it possible for attackers to impersonate its as well as many other’s websites, potentially leading to data theft and other cybercrimes. “It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency,” wrote Ryan Sleevi, Software Engineer at Google in a blog post on Wednesday.

“In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner,” he added.

Symantec seems to be downplaying the threat of the fake certificates. “In September, we were alerted that a small number of test certificates for Symantec’s internal use had been mis-issued. We immediately began publicly investigating our full test certificate history and found others, most of which were for non-existent and unregistered domains,” it said in a statement.

“While there is no evidence that any harm was caused to any user or organisation, this type of product testing was not consistent with the policies and standards we are committed to uphold. We confirmed that these test certificates have all been revoked or have expired, and worked directly with the browser community to have them blacklisted.”

Google is not pleased, as you can imagine. The company wants Symantec to conduct a further investigation to find how it failed to meet the basic requirements. Symantec must comply with Google’s demands if it wants to be trusted by Google for certificates. In addition it also requires Symantec, beginning June 1, 2016, to log all certificates with Google’s Certificate Transparency mechanism.

Europe Has Approved ‘Net Neutrality,’ but Not the Kind Advocates Wanted

The European Parliament has voted to approve new rules for Internet providers in major legislation that is nevertheless being slammed by net neutrality advocates who say the regulation is filled with loopholes.

The bill was passed with none of the amendments that consumer advocates and tech firms were pushing for in a last-ditch effort this week. Critics said the bill did not do enough to prevent Internet providers from classifying favored types of Web traffic as “specialized services” that are more lightly regulated. They also said it gives carriers too much freedom to exempt favored partners from customer data caps, a practice known as “zero rating.”

The vote will lead to a less competitive Internet as broadband providers seek to create paid “fast lanes,” opponents of the bill warned. Internet providers argued that it was in the “main interest of European consumers” to be able to choose among providers based on quality of service and support for various features such as connected cars or telemedicine. Stronger rules might restrict their ability to differentiate themselves and try different business models, they had previously argued.

Roaming provisions of the legislation ensure that users of a communications service traveling to another EU member state will no longer be slapped with high fees for going abroad. The measure pushes Europe toward greater integration, at least as far as mobile services.

But many net neutrality advocates are portraying the bill’s passage as a defeat for the policy.

Indian Road Safety Platform Raksha SafeDrive Goes Up on Kickstarter

Raksha Safedrive, an Internet of Things (IoT) road safety gadget made by Trivandrum-based Elysis Intelligent Devices, has gone live on Friday on US-based crowdfunding platform Kickstarter, with a modest $15,000 goal (roughly Rs. 9.7 lakhs).

The device is claimed to be India’s first smart road safety platform. Once fitted above the dashboard of the car, it’s capable of GPS tracking, automatic crash detection, and offering one-touch voice connectivity in the event of a vehicle breakdown, SafeDrive’s creators claimed.

Raksha SafeDrive’s integrated crash sensors can detect and connect 24×7 to a network of emergency services (medical, police, fire, breakdown) at the touch of button; all delivered through direct human assistance, the founders added. Family and or friends can also be notified via phone call and SMS in case of emergency using the device.

The firm’s modest Kickstarter goal would be met by just 150 early bird orders, priced at $99. At $149, users will get their SafeDrive unit in the colour of their choice.

Speaking to Gadgets 360, Prasad Pillai, Co-Founder and CEO of Elysis Intelligent Devices, said that he chose to put his product on an international crowdfunding platform as he wanted to appeal to the Indian diaspora who wanted to do something about the lack of road safety in India. He cited 2014 data released by the National Crime Records Bureau (NCRB) which says that Indian roads witness 16 deaths every hour.

The founders are confident that the device can provide roadside assistance to any user, as long as the area has cellular connectivity, but didn’t disclose details of their systems and back-end operations. The call centre will be capable of multilingual support, they assured.

Cyber-Security Bill Advances in US Senate

A long-delayed bill that would make it easier for corporations to share information about cyber-attacks with each other or the government without fear of lawsuits advanced in the US Senate on Thursday with support from members of both parties and the White House.

Dozens of industry and business groups, including the US Chamber of Commerce, back the Cybersecurity Information Sharing Act (CISA), saying it would help encourage companies and the government to share information that might help thwart high-profile cyber-attacks.

But many privacy activists and a few lawmakers, including Republican Senator Rand Paul and Democratic Senator Ron Wyden, vehemently oppose it. Several big tech companies also have come out against the measure, arguing that it fails to protect user privacy and does too little to prevent cyber-attacks.

“The bill would grant legal immunity to companies who in sharing information actually violate your privacy,” Paul said in the Senate shortly after a procedural vote of 83 to 14, well above the 60 “yes” votes needed to move ahead.

The Senate began debating amendments to the measure, which is on track to pass next week.

The House of Representatives passed its version of CISA in April with strong support from Republicans and Democrats.

Any version of CISA passed by the Senate would have to be reconciled with the House bill before it could be sent to the White House for President Barack Obama to sign into law.

The White House said in a statement that it supports the bill but wants the Department of Homeland Security to be charged with running the information-sharing system, and would “strongly oppose” any amendments to the bill to expand exceptions.

The White House also said it is concerned about provisions that would authorise “certain potentially disruptive defensive measures” to hacking attacks, measures that could hurt foreign policy and raise legal issues.

“The administration is committed to continue working with stakeholders to address remaining concerns,” the White House said.

Virtual Currency Groups Form Alliance With US Law Enforcement

The Obama administration is joining with private companies in a partnership aimed at training enforcement officials about the virtual currency Bitcoin and fighting crime arising from its use.

The goals of the partnership, called the Blockchain Alliance, include educating investigators on the ins and outs of how the technology works and enhancing the reputation of a digital currency that’s been associated with high-profile crime even as it has slowly gained mainstream acceptance and legitimacy. Its members hope to change the public perception of virtual currency and deter criminals from using it to their advantage.

The alliance announced Thursday includes the Departments of Justice and Homeland Security and representatives of private companies such as BitFury, BitPay and CoinBase that are involved in virtual currency.

The name comes from the term “blockchain,” which refers to the digital ledger on which Bitcoin transactions are recorded.

Supporters see Bitcoin, a decentralized form of money that offers users a degree of privacy for their transactions, as a fast and easy payment system that is gaining legitimacy among regulators and businesses. New York state regulators last month approved their first license for a company dealing in virtual currency, and online retailer Overstock.com this year installed a bitcoin ATM at its corporate headquarters in Salt Lake City.

But Bitcoin’s reputation has nonetheless suffered as criminals have exploited it for Ponzi schemes and as the primary currency for Silk Road, the Internet drug bazaar whose founder was sentenced to life in prison this year. Two agents from the Secret Service and Drug Enforcement Administration who were assigned to a Silk Road task force pleaded guilty this year to pocketing Bitcoin proceeds during the course of their investigation.

“Far too many people think of Bitcoin as the currency of criminals,” said Jason Weinstein, the alliance’s director and a former Justice Department deputy assistant attorney general.

“We think that changing that misperception, that image problem, will be good for the growth of the industry as a whole,” added Weinstein, a partner at the Steptoe and Johnson law firm.

He said he envisioned the alliance as a “one-stop shopping resource” for law enforcement, with training sessions and conference calls to answer questions about Bitcoin. Industry participation is intended to signal a commitment to helping law enforcement weed out criminal activity associated with the currency.

“The more law enforcement understands how this technology works, the more they can understand what they can ask for, how they can ask for it,” said Jerry Brito, executive director of Coin Center, a Bitcoin advocacy group and participant in the alliance.

He said the public perception of the virtual currency is reminiscent of the Internet’s early days, when many saw the World Wide Web as a hub for illegal activity. Just as that association has changed over time, so too might the perception of Bitcoin, he said.

“We should get to a point where we don’t think badly of Bitcoin because criminals use Bitcoin,” and part of the way to get there is to draw attention to its legitimate uses, he added.

Airbnb Apologizes for San Francisco Tax Ads

Airbnb apologized Thursday for street ads here with sassy suggestions as to what San Francisco should do with hotel tax money collected from the home-sharing platform.

“We apologize for Wednesday’s SF ads,” the startup tweeted from an @Airbnb account at Twitter.

“They displayed poor judgment and do not live up to the values and humanity of our global community.”

While some found the messages comic, others took offense.

Tongue-in-cheek ads signed “love Airbnb” included suggestions on ways to spend $12 million (roughly Rs. 77.8 crores) collected through a hotel tax the company had fought to dodge.

Playfully worded ads suggested the money should go to longer library hours, private shuttle service for residents, cleaning parks, or providing more bike lanes.

An ad displayed at one public bus stop recommended using the tax money to feed expired parking meters, while another ad suggested installing escalators on the city’s trademark hills.

Airbnb reportedly pumped $8 million (roughly Rs. 52 crores) dollars into political groups fighting the city’s successful campaign to extract hotel-type tax from residences rented out through the online service.

The San Francisco-based startup was pelted with tweets expressing offense at the ads.

One tweet, copying the ads’ style, pointed to how much good Airbnb would have done if it had donated the money it spent fighting the local tax measure to libraries.

Airbnb’s website allows property dwellers and owners to rent a room or entire home for short periods. Earlier this year the startup raised $1.5 billion (roughly Rs. 9,727 crores) in new capital, sending its value up to $25.5 billion (roughly Rs. 1,65,370 crores).

The company was launched in 2008 and now has some 40 million users worldwide.

Traditional hotel chains see Airbnb as a rival and accuse it of helping people avoid taxes and of hosting illegal accommodations on its website.