TechCrunch
Stanford University Is Investigating An Apparent Security Breach, Urges Community To Reset Passwords
Stanford University urged network users to change their passwords late Wednesday evening, explaining that it “is investigating an apparent breach of its information technology infrastructure.”
Randall Livingston, Stanford’s chief financial officer, emailed the entire Stanford community, noting that Stanford does “not yet know the scope of the intrusion.”
Livingston’s full email, which was sent via an IT Services announce email but signed by the school’s CFO, reads:
“Members of the Stanford Community:
Stanford is investigating an apparent breach of its information technology infrastructure similar to incidents reported in recent months by a range of companies and large organizations in the United States. We do not yet know the scope of the intrusion, but we are working closely with information security consultants and law enforcement to determine its source and impact. We are not aware at this time of any protected health information, personal financial information or Social Security numbers being compromised, and Stanford does not conduct classified research.
As a precautionary measure, we are asking all users of Stanford’s computer system – that is, all those with a SUNet, or Stanford University Network, ID – to change their passwords. This may be done on the ”Accounts” page of the Stanford website. (You can find the “Accounts” page by going directly to the main stanford.edu website.) Additional information is posted on that page verifying the nature of the issue and the University’s request that passwords be updated. As we learn more about the incident, this process may need to be repeated.
Stanford treats information security with the utmost seriousness and is continually upgrading its defenses against cyberattacks. Like many institutions, it repels millions of attempted attacks on its information systems each day. In recent months, a range of large organizations have reported attacks involving their information systems. Preliminary indications are that the breach at Stanford bears many similarities to these incidents. We are unable to provide additional detail at this time, given the ongoing nature of the investigation and the importance of limiting any damage from the incursion. We will provide updates to users of our systems as more information becomes available.”
A bit of searching will show many tweets and articles about alleged “hacking” of Stanford’s system, none of which led to University-wide emails. But Livingston’s description sounds reasonably similar to an alleged security breach this past May by “Ag3nt47.”
Stanford University Hacked By Ag3nt47 > http://t.co/ezH634RDp3
— Anonymous (@Anonymous_Newz) May 17, 2013
Stanford University #Hacked by @Ag3nt47 http://t.co/WUPjmWHVDX
— Anonymous Operations (@AnonRRD) May 14, 2013
Smaller sites reported in May that this hacker breached the Harvard, Stanford, and MIT websites and published staff information online. Another site reported that Ag3nt47 also hacked the sites of Rutgers, NASA, Mazda, Suzuki, Isuzu, the Bose Speakers’ Chinese branch and Mopar, one of the world’s largest automotive parts suppliers.
This would fit with Stanford’s description of the hack being “similar to incidents reported in recent months by a range of companies and large organizations in the United States.”
Looking at the published contents of this hack, it looks like Ag3nt47 merely scraped information from the Stanford Institute for Computational and Mathematical Engineering website. His hack shows email addresses and names of staffers in the ICME, but those are publicly listed on the site. It seems unlikely that such a small hack would cause this response from Stanford, unless Ag3nt47 accessed more information than they publicly posted. However, Ag3nt47 claims they have “the entire database.”
@GallagherBilly I post only a tiny bit of hacked info on pastebin, basically just proof of hack. I have the entire database,most unrevealed.
— Ché (@Ag3nt47) July 25, 2013
Still, it’s possible that Ag3nt47 is taking credit for another hackers’ work, or thinking Stanford is investigating their hack, when Stanford is looking at a different breach. A recent New York Times article notes that U.S. campuses are fighting millions of cyber attacks every week, most of which are thought to be from China.
In the meantime, Stanford is urging all Stanford network ID holders to change their passwords.
I’ve reached out to several Stanford sources, including Stanford’s PR, and will update the post when I know more.
Disclosure: I am a rising senior and the co-student body president at Stanford.
Image via Stanford Alumni.
Irish Data Protection Agency Smiles On Apple, Facebook Prism Compliance
The Irish Office of the Data Protection Commissioner (ODPC) has responded to two of the complaints filed last month by the European data protection activists behind the Europe v Facebook (evf) campaign group against several U.S. technology companies for alleged collaboration with the NSA’s Prism data collection program. Responding specifically to complaints against Apple and Facebook, the ODPC basically takes the view that there’s no complaint to answer, owing to a prior ‘Safe Harbor’ agreement between the E.U. and the U.S. which it says governs the transfer of personal data in this instance.
evf had been aiming to gain clarity on what it argued were potentially conflicting legal requirements, whereby — owing to their corporate structure — the companies in question may have been unable to comply with both European privacy laws and U.S. surveillance laws. However, in a letter (reproduced here) responding to evf’s complaints, the ODPC takes the view that so long as “the U.S. based entity is ‘Safe Harbor’ registered” (which Apple and Facebook apparently are) there is no cause for Prism-based complaints, noting:
We consider that an Irish-based data controller has met their data protection obligations in relation to the transfer of personal data 10 the U.S. if the U.S. based entity is ‘Safe Harbor’registered. We further consider that the agreed ‘Safe Harbor’ Progamme envisages and addresses the access to personal data for law enforcement purposes held by a U.S. based data processor.
While the U.S.-E.U. Safe Harbor agreement, which dates back to 2000, generally requires US companies to adhere to a set of E.U. personal data protection principles — such as informing citizens that their data is being collected and how it will be used (which has clearly not been going on in the case of the NSA’s Prism program) — the ODPC’s letter notes that adherence to the principles “may be limited” –
(a) to the extent necessary to meet national security, public interest, or law enforcement requirements; Cb) by statute, government regulation, or case law that create conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, an organization can demonstrate that its non·compliance with the Principles is limited to the extent necessary to meet the oveniding legitimate interests furthered by such authorization”.
As you’d expect, evf is unimpressed with the ODPC’s response — dubbing it “unbelievable“. The group argues that while the Safe Harbor agreement generally allows the transfer of data to the U.S. “as a rule of thumb”, it does also include exceptions where Europeans’ data “is not adequately protected” — which evf says the ODPC’s response ignores.
Commenting on the letter in a statement, evf spokesman Max Schrems said: “The Irish authority seriously says that the EU has envisioned and accepted the PRISM program 13 years ago, when making the ‘Safe Harbor’ decision. They say that the EU has agreed to PRISM, effectively blaming Brussels instead of taking action. This also means that the DPC is of the opinion that the PRISM program is in line with an ‘adequate protection‘ of privacy under EU law. I doubt that the European Commission thinks so too, but at least we got the Irish DPC to publicly declare for which team they are playing.”
“This means that you can forward Europeans’ data to the NSA as much as you wish, if you only put your parent company on a list,” he added.
It’s worth noting that the ODPC’s letter does also note that “the proportionality and oversight arrangements for programmes such as PRISM are to be the subject of high-level discussions between the EU and the USA” — so the overriding impression conveyed by the letter is of a regional DP authority with close links to the U.S. tech giants which have sited headquarters on its soil doing everything it can to avoid sticking its own neck over the parapet on Prism. And passing the buck up the chain to EU data protection regulators instead. (Contrast the Irish response to this regional German DP agency’s concern about a “massive risk” associated with Prism data collection, for instance, and the tonal variation is striking).
“We have the impression that the ODPC is trying to simply ignore the complaints and the whole PRISM scandal. It seems like they have little interest in the rights they are paid to protect. If there is a way to appeal this in Ireland we clearly appeal it. Right now it seems like the ODPC is ruining Ireland’s reputation in this matter,” added Schrems.
Ireland’s economy continues to benefit from attracting tech giants to set up international headquarters there — with favourable corporate tax rates as one lure, and — as evf would doubtless argue — a ‘friendly’ data protection authority as another. As an example of the latter, the ODPC has previously ruled in Facebook’s favour: last September, after a lengthy investigation into user data and privacy issues — triggered once again by evf complaints — the body declared itself happy that Facebook had listened to “the great majority” of its recommendations.
We’ve reached out to the European Commission for comment on the ODPC’s stance and will update this story with any response. The EC’s Neelie Kroes has been critical of Prism, warning earlier this month that the programme risks undermining trust in U.S. cloud companies.
Ilya Segalovich, Co-Founder And CTO Of Russian Search Giant Yandex, Passes Away From Cancer Complications
Very sad news this morning for Yandex — “the Google of Russia” — and for the country’s wider technology community: Ilya Segalovich, Yandex’s co-founder and CTO, has passed away from cancer complications. He was 48.
“Ilya had been responding well to cancer treatment before unexpectedly succumbing to complications early this morning,” a spokesperson told TechCrunch. The official company statement includes a note from Arkady Volozh, the other co-founder and CEO, who was also a friend of Segalovich:
“Ilya was a friend of life and this is a terrible personal loss. Ilya’s contributions to the founding and development of Yandex were invaluable. More importantly, his philanthropic contributions touched many children in need. My thoughts and those of all of the Yandex family are with Ilya’s family at this difficult time. We know that the strong technical team Ilya helped to build will carry on the work Ilya cared so passionately about. Ilya was an encyclopedia in technology and his highest ethical standards has always set the landmark for us all.”
Segalovich and Volozh started Yandex more than 20 years ago, first as a search engine that indexed the Bible and rapidly ramping it up to cover other searching — Yandex, he once told me, was short for “Yet Another Index.” Eventually, that also extended to any networked service under the sun — spanning web search, mapping, mobile, cloud-based storage, mail and much more. Considering that portfolio of products, combined with Yandex’s dominant position in the Russian search market, it was no surprise that it picked up the moniker of “the Google of Russia.”
Throughout all of that growth, the two co-founders remained collaborators and friends. Last year, when I had the privilege of meeting Segalovich, he described how the two had continued to work closely together. “Arkady and I understand each other before others understand us,” he told me. “We sit in the same room, even now.”
Segalovich was the embodiment of that classic, strong combination of super-smart technologist and man with big ideas. Bristling slightly when I brought up the Google comparison, he touted Yandex’s own engineering prowess and earliest moves in search, which predated those of its U.S. counterpart.
The dominance of Google perhaps clipped Yandex’s wings in terms of where Yandex could and would end up taking its products. So, rather than trying to go head-to-head with the company in markets like Europe on products like search, Yandex took another route, looking for market share both in countries that either Google or others like Baidu had not (yet) conquered, and by moving into totally new product areas that were still new enough for others to make headway.
To that end, Segalovich was a strong advocate and champion of Yandex’s extension into new product areas like maps and mobile. (Indeed, even in Russia, Google is a formidable player whose power is growing. Yandex has a 60%+ share of the search market, but Google’s huge win in Android as the smartphone platform to beat in Russia is likely to shift that balance over time. Hence, Yandex’s big push especially into mobile and cloud services. “We are very close to having a full set of Android services,” he told me last year. “We have a great set of all the applications that you need. We have great mail, maps, full solutions and now we have a shell and widgets.” It has, however, yet to launch a full, Android-style OS, and it may never do.)
Segalovich was proud of the 1200+ engineers at Yandex who were responsible for building all of that, although he also admitted to me that he had, like many who move into executive positions, strayed far from being a programmer himself. “I wrote my last line of code four years ago,” he joked last year. “It was heavy C++ and wasn’t that useful.”
He was indeed a very modest, but very brilliant, guy. He will be missed. RIP.
Mobile Payments Provider Fortumo Partners With China Unicom and China Telecom, Now Has Deals With All Three Of China's Major Telecoms
Fortumo announced that it has inked direct carrier billing agreements with China Unicom and China Telecom. Together with a China Mobile deal signed in February, this means that the Estonia/U.S.-based mobile payments company is now the first and only payments provider that supports all three state-run telecoms in China, which dominate the mobile communications market there.
This means that Fortumo, whose clients include Rovio, EA, Gameloft, Zeptolab and Badoo, will now be able to help developers gain a potentially large and lucrative foothold in China. Fortumo works with developers who want to break into countries where few consumers use payment methods like credit cards and instead pay for app downloads through their mobile carriers.
Carrier billing accounts for up to 75% of all revenue generated from Android apps in China, says Gerri Kodres, Fortumo’s Senior Vice President of Business Development and Carrier Partnerships.
“China has a number of payment options, including Uni-Pay and Alipay, but during the last six months carrier billing has taken a very strong market share,” says Kodres. China currently accounts for less than 10% of Fortumo’s revenue, but Kodres anticipates that number will grow to about 30% within two years.
Fortumo also helps foreign developers localize in China’s fragmented app marketplace by giving them access to different distribution channels. This is important because Google Play is inaccessible there and Android apps are sold through several platforms. Fortumo distributes apps in all leading Chinese stores, including stores operated by China Mobile, China Unicom and China Telecom, Baidu and Qihoo 360′s app stores, 91 Wireless, Wandoujia and HiAPK.
“If you want to help Android [app] merchants in China, then you can’t just provide billing, you also have to help them with distribution because the market is much different in China than elsewhere globally,” says Kodres.
Another important channel is pre-loads on mobile phones. In June, Fortumo announced a partnership with Chinese mobile manufacturer ZTE Joygor to power in-app payments and preload apps onto Android smartphones destined for domestic sale or export to countries such as Indonesia.
Kodres says his company will continue to pursue similar deals with other manufacturers as it expands its business in China. Fortumo recently opened a Beijing office and has signed international distribution agreements with top Chinese developers like CocoaChina (Chukong), Gamewave and Boyaa.
Fortumo was launched in 2007 and currently supports carriers in about 80 countries. In February it raised about $10 million in funding from Intel Capital and Greycroft Partners.
No comments:
Post a Comment