Information Technology

Amazon Web Services (AWS) has asked for the introduction of a mechanism that can provide online account providers with immunity when responding to account takeover warrants issued by certain Australian law enforcement bodies.
The call for such a mechanism follows the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 being introduced into Parliament, which, if passed, would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) three new warrants for dealing with online crime.
The first warrant is a data disruption warrant, which according to the Bill’s explanatory memorandum is intended to be used to prevent “continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities”.
The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant.
The last warrant is an account takeover warrant that will allow the agencies to take control of an account for the purposes of locking a person out of the account.
AWS said the first and third warrants are “formulated for fundamentally different objectives for law enforcement, compared to warrants that law enforcement agencies can currently seek”.
“These two warrants are intended not for the purpose of gathering evidence per se, but to allow law enforcement agents to effectively stand in the (online) shoes of persons suspected of engaging in potential criminal activity,” it wrote in a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security as part of its review into the Bill.

“Though ancillary to existing warrants, both of these warrants are a significant departure from current provisions and their issue will involve an elevated risk to the liberty and privacy of citizens whose online accounts are impacted by law enforcement activities.”
AWS believes the execution of warrants by law enforcement or provision of assistance in good faith to law enforcement officers executing a warrant should not result in civil liability to a person.
It said that for account takeover warrants and assistance provided under assistance orders relating to account takeover warrants, there should be provision protecting third parties from liability.
“AWS submits that the Bill should be amended to introduce a new immunity for online account providers in relation to the execution of account takeover warrants,” it wrote.
“The immunity should extend to criminal and civil liability, or an action or other form of proceeding for damages, in relation to an act or omission done in good faith in purported compliance with, or in the furtherance of a requirement under, an account takeover warrant.”
AWS is also concerned the new warrants might force the cloud giant into introducing systemic weaknesses or vulnerabilities into its systems.
AWS raised similar issues a few years ago, previously stating that provisions of the Telecommunications and Other Legislation (Assistance and Access) Act 2018 could require actions that have the potential to make technology systems less secure.
Provisions were eventually included in the Act, which listed matters that decision makers had to consider when determining whether notices seeking industry assistance under that Act were reasonable and proportionate
For the latest draft legislation, it has requested that similar considerations be added and for technical feasibility to be an express consideration for those issuing warrants.
“Additionally, AWS submits that the execution of the warrants proposed in the Bill should not result in the introduction of systemic weaknesses or vulnerabilities into any form of electronic protection of data implemented in a technology provider’s systems,” it wrote.
“Such a warrant would be unreasonable in any circumstance as it would create significant and lasting risk to innocent third parties.”
Another request of AWS is that given the potential cross-over of legislative provisions in relation to seeking assistance, that the Bill use the criteria within the Assistance and Access Act to determine what is “reasonable and proportionate”.
“As drafted, the Bill does not provide, in our view, sufficient protection for individual employees of technology providers such as cloud services, and creates an assistance regime that is different from that specified for technology providers under the Assistance and Access Act,” AWS wrote.
“The Bill enables law enforcement to seek an assistance order requiring a specified person to provide any information or assistance that is reasonable and necessary to execute the warrant. A specified person includes an employee of the owner or lessee of the computer, or a person engaged under a contract for services by the owner or lessee of the computer, or a person who is or was a system administrator for the system including the computer.”
It said these definitions could include employees of a cloud service provider.
AWS is also concerned employees who might be ordered to either do an act or thing or omit to do an act or thing under an assistance order may then be forced to breach a foreign law or cause another person to breach a foreign law.
It has, as a result, asked the Bill make it clear that any such requirement would be unreasonable or provide a defence for an individual who refuses to do the act or make the omission.
RELATED COVERAGE More

The Australian Signals Directorate (ASD) expects intervention in the cyber attack response of companies considered critical infrastructure to only occur in “rare circumstances”.
As described in the current form of the Security Legislation Amendment (Critical Infrastructure) Bill 2020, government assistance will be provided to entities in response to significant cyber attacks on Australian systems. Tech giants operating in Australia, such as Amazon Web Services, Cisco, Microsoft, and Salesforce, have all taken issue with these “last resort” powers.
“In the rare circumstance of a serious cybersecurity incident impacting the availability of key critical infrastructure assets, Part 3A, Division 5 of the Bill provides a mechanism for government to directly assist an asset owner or operator in rapidly responding to, and remediating a cybersecurity incident,” the ASD explains in its submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS).
ASD may be requested by the Secretary of the Department of Home Affairs to assist in responding to a serious cybersecurity incident. The Minister for Home Affairs must consult with the asset owner or operator before authorising the Secretary to request ASD assistance, and the measures authorised must be “proportionate and technically feasible”.
Before stepping in, the government must be satisfied that a cybersecurity incident has occurred, is occurring, or is imminent; that the incident is having a relevant adverse impact on the functioning of a critical infrastructure asset; the incident is posing a material risk to the social or economic stability of Australia, its people, national defence, or national security; the relevant entity or entities are unwilling or unable to take all reasonable steps to respond to the incident; and no other options for a practical and effective response exist.
“Interventions under this provision are limited,” ASD said. “In responding to a critical cyber incident, ASD’s incident response teams will only be able to undertake actions specified in the Ministerial Authorisation.”
However, this may include accessing, modifying, or altering the functioning of computers and implementing mitigations, restoring from backups, and installing “incident response tools”.

It may also include accessing, restoring, copying, altering, or deleting software.
The tech community is concerned such governmental intervention would undermine the objectives of defence and recovery. Microsoft, for example, believes this would result in “The Fog of War”, further complicating any attempt to mitigate cyber attack response.
The draft legislation, which entered Parliament in December, also introduces a positive security obligation for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements to the ASD, as well as enhanced cybersecurity obligations for those entities deemed critical infrastructure.
In its submission, ASD said its knowledge of domestic cybersecurity threats and vulnerabilities relies on the Australian community and industry to voluntarily report incidents.
“More incident reports to ASD through the provisions proposed in the Bill will assist in building improved national situational awareness and allow ASD to identify trends, and provide targeted advice to others in order to assist entities to better prepare and protect their networks and Australia’s critical infrastructure,” it told the PJCIS.
It said just over a third of all incidents reported to the ASD’s Australian Cyber Security Centre over the last 12 months have been from Australia’s critical infrastructure sectors.
“This is expected to be just a fraction of the number of cybersecurity incidents affecting critical infrastructure given the voluntary nature of reporting,” it said.
Under the proposal, once a responsible entity becomes aware of a cybersecurity incident, it must be reported within 12 hours if the incident is having a significant impact on the availability of the asset; or 72 hours if the incident is having an impact on the availability, integrity, or reliability of the asset or on the confidentiality of information about, or held by, the asset.
“The primary purpose of ASD receiving information under Part 2B will be to improve national situational awareness, allowing the production of anonymised mitigation advice to assist individual sectors or organisations more broadly to take steps to protect themselves,” ASD wrote.
HERE’S MORE More

Microsoft has taken the opportunity to remind the federal government of the issues it takes with the proposed critical infrastructure legislation by flagging several aspects of the Bill that it believes could unintentionally make Australia’s security posture less secure.
The draft legislation in question, the Security Legislation Amendment (Critical Infrastructure) Bill 2020, was published by the Department of Home Affairs in November. It was then introduced to Parliament in December, with Minister for Home Affairs Peter Dutton labelling it as a significant step in the protection of critical infrastructure and essential services that Australians rely upon.
The Bill seeks to amend the Security of Critical Infrastructure Act 2018 to implement “an enhanced framework to uplift the security and resilience of Australia’s critical infrastructure” that would extend the application of the Act to communications, transport, data and the cloud, food and grocery, defence, higher education, research, and health.
If passed, the laws would introduce a positive security obligation for critical infrastructure entities, supported by sector-specific requirements and mandatory reporting requirements to the Australian Signals Directorate (ASD); enhanced cybersecurity obligations for those entities most important to the nation; and government assistance to entities in response to significant cyber attacks on Australian systems.
Having already highlighted concerns with the Bill before it entered Parliament, Microsoft in its submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) has reiterated its belief that governmental intervention undermines the objectives of the proposed legislation.
“Microsoft has significant concerns about this authority …  we believe that a policy allowing for direct governmental intervention would undermine the government’s objectives of defence and recovery,” it wrote.
“Rather, in many cases, it is the individual organisations themselves, and not the government, that are best positioned to determine how to appropriately respond to and mitigate the impact of cyber incidents.

“It would take a preclusive amount of time for the government to come into a live incident, properly understand the fact pattern, the technologies in play and the challenges of any decisions, and then be able to direct an appropriate response.”
Elsewhere: Microsoft unsurprisingly throws support behind Australia’s Media Bargaining Code
According to Microsoft, this contributes to what military strategists have referred to as the “Fog of War”.
It’s a concept that has been applied to cyber incident responses, where additional risk is introduced during the initial phases of an ongoing crisis because the ability of subject matter experts and network defenders to adequately respond is hampered by an onslaught of information requests, speculation, and well-intended ideas from individuals or organisations when the malicious activity is yet to be fully understood by anyone.
It said further complicating any such operation is the fact that the government would be doing so without a thorough understanding of the specific resources and protocols available for deployment, and that the “resources required to obtain such knowledge would be prohibitively expensive, logistically complicated, and amount to an extremely invasive governmental intervention”.
“As such, the danger of having a government direct a private sector entity’s response without complete knowledge of the situation and the technology cannot be understated,” Microsoft said.
“Moreover, individual organisations are not only best positioned to respond; they also have as equal an incentive as the government to protect their own networks and maintain the trust of their customers.”
Microsoft added that the risk of unilateral intervention by the government greatly increases the risk of unintended collateral consequences, impacting customers directly and indirectly by undermining trust, and threatens to make entities less secure.
Microsoft’s remarks reflected many of its peers, such as Cisco, Salesforce, and Amazon Web Services (AWS) in their respective consultation submissions.
AWS is concerned that there isn’t clarity around whether the triggers for exercising such powers are objective and specific, whether or how the government would be able to objectively assess if its directions or assistance would improve the situation, what an entity could be directed to do or not do, what checks and balances would apply, and whether an entity has rights of review and appeal.
Cisco requested there be checks and balances for all government assistance, especially for step-in powers.
Taking this further, Microsoft said if the government believes it must retain authority to intervene in situations of extraordinary national emergency, it should also be prepared to assume full liability by indemnifying organisations for any collateral harm caused by its intervention.
HERE’S MORE More

AustCyber, the organisation charged with growing a local cybersecurity ecosystem, will be merging with innovation hub Stone and Chalk, with the two non-profits hoping to boost Australia’s domestic industrial capability in critical and emerging technologies. 
The plan is to provide startups and scale-ups with “enhanced access to domestic and international customers, talent, and expertise together with the right sources of capital”.
The organisations said this will accelerate the growth and maturity of the companies involved, while also creating new and highly-skilled jobs for Australians.
AustCyber, headed by Michelle Price, will become a wholly-owned subsidiary of Stone & Chalk, but it will retain its standalone brand, staffing structure, and national network of Cyber Security Innovation Nodes. AustCyber currently boasts 10 Nodes across the Australian Capital Territory, New South Wales, Queensland, South Australia, Tasmania, and Western Australia
AustCyber will also continue to operate as one of the Australian government’s Industry Growth Centres. 
As part of the merger, Stone & Chalk will make its commercialisation support services available to Australian cybersecurity founders. This includes investment support, customer and talent acquisition, corporate partnerships, ecosystem support, and curated mentorship from commercial leaders.
AustCyber will likewise provide its expertise to Stone & Chalk’s tech founders to ensure they are “secure by design” before they write any code at all.

“Together, they will also provide a powerful voice to better shape the policy and regulatory landscape for critical and emerging tech products and services,” a statement form Stone & Chalk said.
See also: Has Australia lost the startup bug? Fishburners doesn’t think so
Stone & Chalk CEO Alex Scandurra said COVID-19 has made it clear that Australia can no longer depend so heavily on imported technology, which contain critical dependencies in supply chains.
“I am inspired and humbled to have the privilege of supporting the rapid growth of Australia’s cyber and emerging tech companies,” he said. “Our mission is to help them to rapidly and intelligently scale and in doing so, develop Australia’s industrial capability in strategically significant areas of emerging technology.
“In making our two organisations one, we are combining the greatest concentration of cyber security industry expertise in the country with the most developed technology commercialisation infrastructure that Australia has ever built.”
Price said she has long respected the capabilities of Stone & Chalk and joining forces will provide the organisations’ existing ecosystems with the tools they need to evolve, develop, and thrive.
“It will also support those areas of the economy developing strategically important technologies whose industries are still forming and the understanding of economic and societal impact is still taking shape,” she said. 
“In this environment, it has never been more urgent to provide commercialisation pathways for Australia’s cyber security founders and build a cyber resilient industrial capability to support our nation to prosper in the years to come.”
RELATED COVERAGE More

Members of the Egregor ransomware cartel have been arrested this week in Ukraine, French radio station France Inter reported on Friday, citing law enforcement sources.
The arrests, which have not been formally announced, are the result of a joint investigation between French and Ukrainian police.
Sources in the threat intel community have confirmed the existence of a law enforcement action but declined to comment for the time being.
The names of the suspects have not been released. France Inter said the arrested suspects provided hacking, logistical, and financial support for the Egregor gang.
The Egregor gang, which began operating in September 2020, operates based on a Ransomware-as-a-Service (RaaS) model. They rent access to the actual ransomware strain, but they rely on other cybercrime gangs to orchestrate intrusions into corporate networks and deploy the file-encrypting ransomware.
Victims who resist paying the extortion fee are often listed on a so-called “leak site,” in the hopes of shaming them into paying the ransom demand. Victims who don’t pay often have internal documents and files shared on the Egregor leak site as punishment.

The Egregor ransomware leak site
Image: ZDNet
If victims do pay the ransom demand, the gang which orchestrated the intrusion keeps most of the funds, while the Egregor gang takes a small cut. The gang then launders these profits through the Bitcoin ecosystem via Bitcoin mixing services.

According to the France Inter report, the arrested suspects are believed to some of these “affiliates” (or partners) of the Egregor gang, which help prop up its operations.
France Inter said French authorities got involved in the investigation after several major French companies were hit by Egregor last year, such as game studio Ubisoft and logistics firm Gefco.
An investigation was started last year, and French police, together with “European counterparts,” were able to track down Egregor members and infrastructure to Ukraine.
Egregor leak site down since Friday
While, at the time of writing, details about the law enforcement action are murky, the arrests appear to have had a pretty big impact on Egregor operations.
“Recorded Future has observed that Egregor infrastructure, including their extortion site and command and control (C2) infrastructure, has been offline since at least Friday,” Allan Liska, a security researcher for threat intelligence firm Recorded Future, has told ZDNet in an email.
“While there has been no police banner, as there often would be in this case, it is unusual for ransomware actors as well-resourced as Egregor to have all of their infrastructure go offline at the same time,” he added.
Egregor has made more than 200 public victims
The arrests in Ukraine have hit one of last year’s most active ransomware operations.
While the Egregor RaaS formally launched in September 2020, many security experts believe the Egregor gang is actually the older Maze ransomware group, which began operating in late 2019.
The Maze gang abruptly shut down in September 2020, a few weeks after Egregor began operating. Reports from threat intelligence firms at the time said that the Maze gang had privately notified many of its top “affiliates” to move over to the Egregor RaaS.
Currently, many security researchers believe the Egregor RaaS is an upgraded and rebranded version of the older Maze operation.
“Recorded Future has tracked 206 victims published to the Egregor extortion site and, before the switchover, 263 victims published to the Maze site,” Liska told ZDNet.
“The two variants combined accounted for 34.3% of victims published to all ransomware extortion sites (14.9% Egregor),” Liska said.
A Coveware report published last month confirmed Recorded Future’s assessment, listing Egregor as the second most active ransomware gang for Q4 2020.
However, it is unclear what the damage of this week’s law enforcement action will be on Egregor’s future. Last month, US and Bulgarian authorities disrupted the Netwalker ransomware gang by seizing servers and arresting one of its affiliates, and the RaaS service has been inactive ever since.
A Chainalysis report published at the start of the month listed the Egregor/Maze gang as one of the top 5 earners in the ransomware landscape, with earnings between $40 million and $50 million.
This was confirmed by Liska, who told ZDNet that Egregor’s average ransom demand was around $700,000, making it among the largest ransom demands of any ransomware family.
Maze’s 2020 dox
But a pretty significant event took place last year, in November, when the operators of the REvil (Sodinokibi) ransomware gang (#1 on that Coverware 2020 Q4 ransomware report) claimed to have identified the real identities of the persons behind the Maze service, their rival.

At the time, security analysts considered the REvil stunt as an attempt to sabotage a rival’s public image, but nobody commented on the accuracy of the dox, and ZDNet was told several of them shared the information with law enforcement agencies. More

This week, Tesla announced it purchased $1.5 billion of the cryptocurrency Bitcoin. The company even hinted that customers might soon have the option to pay for their cars with Bitcoin. Welcome to 2021, where nothing makes sense anymore. 

Tesla’s desire to legitimize both cryptocurrency and blockchain with its Bitcoin investment has brought these technologies into the forefront of the news and has sparked a mainstream interest. However, cryptocurrency and blockchain are often confused, and they can also be challenging concepts to understand.
Also: Bitcoin mining 101: How to build a cryptomining rig 
Blockchain fundamentals
Blockchain is the foundational technology used by various cryptocurrencies such as Bitcoin and Dogecoin.
In its simplest form, Blockchain is a database. With a traditional database, information is stored in fields, organized into rows and columns, and indexed for fast retrieval. Those fields can be things like name, address, phone number, and also pointers to “blob” data like multimedia files — videos, images, waveform audio, that sort of stuff. We call these collections of rows and columns “tables.” The structure of these tables and the relationships between them are referred to as a database schema. 
Fields can be updated in traditional databases as they are changed. For example, when you use Facebook or Instagram and add new tags, mark the location, or reply to someone’s comment, you’re interacting with a traditional database.
With blockchain, data is organized in a completely different way. Information is collected in groups or blocks, and any data that follows the first block is compiled into a newly formed block added to that chain. So the information is sequential and continues to build on each other.

It’s important to note that this blockchain structure creates an irreversible data timeline when it is decentralized. Every block of data is fingerprinted with this timeline and cannot be changed; it has an exact timestamp when added to the timeline.
Most blockchain systems are decentralized — that is, the computers that process the transactions are distributed worldwide. A transaction is entered somewhere on a client computer connected to the blockchain. This transaction is then transmitted to the network of connected peer-to-peer systems — aka nodes — that collectively solve a series of equations to validate the transaction. That’s where the “crypto” aspect comes into play. 
A blockchain can have as few as a dozen nodes on a network to as many as 10,000 nodes (as Bitcoin has) or, potentially, even more. Once that transaction is confirmed to be legitimate, they are then clustered into blocks. Once the blocks are created, they are chained together with the history of all the other transactions on the blockchain, and the transaction is complete.
So what is Blockchain good for besides cryptocurrency?
In summary, a blockchain-based system’s objective is to allow digital information to be recorded and distributed but not edited. This has applications in many industries. Companies are already using this technology to perform supply chain tracing of stuff like seafood. 
[embedded content]
For example, when a scallop fisher catches their haul on a fishing trawler off of Cape Cod, that catch’s location is recorded in the initial blockchain transaction. The fisher uses a grading process to record the type of scallop, takes a photograph and video, and puts the catch in cold storage. The seafood is brought to a port, processed and packaged, then shipped out to a distributor’s refrigerated warehouse. From there, boxes of scallops are loaded onto trucks and sent to your local supermarket chain’s distribution center. Next, the seafood is trucked to your local supermarket — where the fishmonger takes the scallops out of the crate and puts them up for sale in the refrigerator or freezer case. 
If anything goes wrong with the scallops, or if you, the consumer, want to know where those scallops came from, that scallop package has a serial number and can be traced back to the moment it came out of the water in Cape Cod. IBM built a system for precisely this purpose. And companies like Walmart are using it for produce tracking, such as for leafy greens like lettuces and spinach. Consider how important this is: We’ve seen those kinds of vegetables become contaminated with E.coli and other pathogens. The blockchain system enables anyone in the chain to track down which field in which farm in California a particular bag of green stuff comes from.
Whenever you need a timestamped transaction record that cannot be altered, and for supply chain traceability, this technology will be essential. There’s already talk about using this technology for COVID-19 vaccine passports. 
As with scallops, so with vaccines. 
When a vaccine is manufactured at a pharmaceutical plant, the specific manufacturing run is recorded as a batch. The batch is dispensed into vials (each vial has a serial number), which goes into a box (each box has a lot number). That box is then loaded onto trucks, which may go to a pharmaceutical distributor and then is shipped to a hospital network, which opens those boxes, opens a vial, and finally distributes doses to patients. 
Each timestamped dose can then be recorded in the patient’s record: Which vaccine they received and when and where they received it.  And that record cannot be altered because of the encrypted transactional nature of how blockchain works. 
Blockchain technologies can be applied to insurance, mortgages, and even voting systems — anywhere you need that end-to-end record of something and multiple parties are involved. 
When blockchains are used in this trust establishment way — where more than one party may have to authenticate the blocks before something else can happen — these are referred to as Smart Ledgers or Distributed Ledgers. And several highly regulated industries are already looking into blockchain for this sort of application.
What is cryptocurrency anyway?
Ok, but first, what the heck is money? Money has been an abstract construct throughout human history; it was created to exchange goods and services. Typically, money has value because it is exchanged for something of value, and the value of that item depends on the overall demand for that item. 
At a basic level, the monetary value of, say, what someone does for a living is valued against what someone else does for a living based on demand and scarcity. It is commonly accepted that a ditch digger gets paid less than a doctor because of the value of the education the doctor achieved and invested in. Similarly, a one-kilogram lobster costs more than a kilogram of rice because of the effort and resources that it took to produce and harvest those things on a relative basis. 
In previous decades, a nation’s money or currency was backed by precious metals — such as gold, but that’s no longer common practice. A country’s output in goods and services is traded with other countries’ goods and services, and their currencies are valued on the open market using currency exchanges. The value of a nation’s currency is determined by fiat, which is derived from the relationship between supply and demand and the government’s stability that issues it.
That all sounds hugely existential, and it becomes an intense conversation when you start to explore monetary systems and capitalist theory and things like that.
But cryptocurrency, as it exists today, does not have a value based on fiat — it is based on the computational power of the network that produces it, so it is independent of nation-states. Cryptocurrency systems use blockchain to establish the indelible record that each fractional unit of currency exists, that they are unique, and cannot be altered after they are created. 
The dark side of cryptocurrency
This process of creating something out of effectively nothing — other than a large group of computers churning processor cycles —  is called mining. Mining is achieved by running a special program on a client computer. It runs through a series of complex equations until the result yields a block recorded as a fractional unit of that cryptocurrency.
Typically, a single mining node dedicated to cryptocurrency production is a modest x86 PC CPU with one or more high-end GPUs for accelerating the compute processes. Entities that are highly-invested in this endeavor have set up “mining farms” where dozens or even hundreds of computers dedicate their processing cycles to produce cryptocurrency like Bitcoin. 

Naturally, it takes a lot of power and cooling to generate cryptocurrency, and the energy required to do this requires fuel. The world is still primarily reliant on fossil fuel power generation. So it’s not a particularly green way of creating things of value. 
Although considered a very environmentally wasteful act of using computational resources, using and mining cryptocurrency is completely legal in most countries — Algeria, Egypt, Morocco, Bolivia, Ecuador, Nepal, and Pakistan have outlawed it because it potentially threatens their fiat currency. 
However, while completely legal in the majority of nations, it’s no coincidence that cryptocurrency mining farms have proliferated in parts of the world where a large number of cybercrime’s bad actors reside, such as in China, North Korea, Russia, the Middle East, and Eastern Europe. We have seen miner programs being used by actors from these countries as secondary malware payloads, so your computer could end up running one in the background as a virus, and you might not even know it. 
Your mom’s $300 PC she bought at Costco may not be a $3000 crypto box with multiple GPUs that can chew out Bitcoins or Ethereum at a significant pace. Still, a bad actor who infects 10,000 of those mom PCs can generate many crypto coins. 
Additionally, entities with significant computational resources — be it a nation-state or a bad actor — can potentially mine an awful lot of cryptocurrency. And they can become disproportionally large players on a cryptocurrency network and potentially control that network for short periods by preventing new transactions from getting confirmations and, in turn, halting payments between some or all users. They might also be able to reverse transactions completed while they control these networks, meaning they could double-spend the coins.
Fortunately, controls are built into these networks that prevent these so-called 51 percent attacks, where malicious actors with large amounts of computational power can temporarily control a cryptocurrency network. 
Why does Elon Musk care so much about cryptocurrency?
As a company, Tesla is only profitable because a significant portion of its income comes from selling Renewable Energy Credits (RECs). If its income were solely based on automobiles and solar panels’ production, the company would be posting hundreds of millions of dollars in losses per quarter. 
Tesla can sell these credits because, in 13 states, any auto manufacturer that wants to sell their cars in that state must also sell a certain amount of electric or zero-emission vehicles (ZEVs). If you sell enough electric cars, you get a credit with that state. If an automaker doesn’t sell ZEVs or doesn’t sell enough of them, it has to buy them from someone with that credit to make up the carbon deficit and sell cars in that state. 

Since Tesla sells a lot of electric cars, or rather, only electric vehicles, it has no reason to keep those credits; it can sell them to other automakers. These credits also expire, so it’s in Tesla’s best interest to unload them. With the sale of their surplus carbon credits, Tesla made about $428M in the second quarter of 2020 alone, beating their first-quarter sales of credits of $354M. 
Eventually, automakers like GM, Volkswagen, and Nissan will all be producing lots of electric cars and meeting their carbon credit quotas, which means that Tesla will need to find other ways of making money. It will need to sell more cars and more solar panels (which they could also use, presumably, to mine cryptocurrency in large farms).
Other than using their vehicles and technology to directly generate income — such as by creating an autonomous rideshare service, selling more of their batteries to third parties, or massively scaling out their solar roof production and becoming the market leader in that space — Tesla will need other sources of revenue when the carbon credit game evaporates.
Expanding the way people can pay for cars (and presumably, their panels and their batteries) is critical for Tesla to stay afloat financially. And people want to have avenues to spend that Bitcoin or Dogecoin or Ethereum or whatever.  Today, cryptocurrency is not unlike Amex points or airline travel credits — it exists and circulates within its own limited ecosystems; moving it out of those ecosystems to convert it into cash or use it as a direct method of payment is difficult. 
So being the car or tech manufacturer for cryptocurrency millionaires today gives them an edge, potentially a lifeline to staying profitable in the longer-term, when everyone with some crypto cash can use this new form of money as a down payment on a car or a solar array.
Does cryptocurrency have value, and can it be legitimized?
Tesla’s challenge is this: A currency only has value if it can be spent. Large investment banks like UBS are saying that Bitcoin and other cryptocurrencies don’t have intrinsic value. It isn’t legal tender like fiat currency issued by a nation-state. These banks characterize it as an underworld, sketchy thing with which they don’t want to be associated. Analysts at UBS also believe that the nature of cryptocurrency always having a fixed supply — meaning that currency supply cannot be restricted as a nation-state would do if the demand for a currency goes down, as with real money — is a severe economic flaw and could eventually cause the entire system to collapse. 
Fiat currencies have value because nation-states say they have value and agree to exchange their value with other nation-states. Likewise, there are cryptocurrency exchanges that allow for converting one’s holdings into cash, such as Coinbase and Kraken. For many, cryptocurrency investment is a long game, a gamble on the belief that they will eventually be intense competition for fiat currency or commodities like precious metals. 
There is also the issue of the currency’s seedy reputation, which has arisen from the type of black market goods — drugs, guns, and even financing North Korean nuclear weapons programs, for example — for which it’s become convenient tender because it’s an anonymous and utterly untraceable way of exchanging something that has intrinsic value. And with any emerging technology, some aggressive players want to get in early and control it with offensive use of patents in the blockchain and cryptocurrency space.
There’s some hope on the horizon, though. Square, one of the leaders in merchant services aggregation and mobile payments, has founded COPA, a cryptocurrency patent alliance, to ensure that the ecosystem remains vibrant and open for developers and companies investing in the industry. Square has also invested $50M in Bitcoin because it believes it is an economic empowerment instrument and allows individuals and small businesses to participate in a global monetary system. Square is led by Twitter CEO Jack Dorsey, a huge fan of cryptocurrency and Bitcoin who recently set up his own Bitcoin node. And while it has not done so yet, Twitter’s own CFO has suggested that the company may soon add Bitcoin to its balance sheet, as well. 
Despite large investment banks like UBS stating that cryptocurrencies aren’t good portfolio investment strategies for their clients, some large institutions are starting to get in on the cryptocurrency act. On February 10, Mastercard Inc., one of the largest financial services players, and Bank of New York Mellon Corp, one of the largest banks, announced they would make it easier for their customers to use cryptocurrencies. Mastercard will focus its support on the so-called “stable coins” tied to the value of other assets, such as the US dollar. In contrast, the Bank of New York said that it would transfer and issue Bitcoin and other cryptocurrencies for institutional customers.
As of this writing, few businesses accept cryptocurrency as a direct form of payment. For now, companies like Tesla are on the fringe, and unless we see lots of companies accept Bitcoin and other cryptos as a payment method, the company is essentially on its own here. But with Elon Musk’s stake in the ground, we may see other companies — particularly makers of luxury goods that are in lesser demand during this pandemic-hampered global economy — begin to accept crypto as payment and help to legitimize it as actual money.

Blockchain in the news More

Apple’s upcoming iOS 14.5 release will ship with a feature that will re-route all Safari’s Safe Browsing traffic through Apple-controlled proxy servers as a workaround to preserve user privacy and prevent Google from learning the IP addresses of iOS users.

The new feature, spotted by a Reddit user earlier this week and covered in a report from 8-bit, has been formally confirmed by Maciej Stachowiak, Head of Webkit Engineering at Apple.
The new feature will work only when users activate the “Fraudulent Website Warning” option in the iOS Safari app settings.
This enables support for Google’s Safe Browsing technology in Safari. The Safe Browsing technology works by taking an URL the user is trying to access, sending the URL in an anonymized state to Google’s Safe Browsing servers, where Google accesses the site and scans for threats.
If malware, phishing forms, or other threats are found on the site, Google tells the user’s Safari browser to block access to the site and show a fullscreen red warning.
While years ago, when Google launched the Safe Browsing API, the company knew what sites a user was accessing; in recent years, Google has taken several steps to anonymize data sent from user’s devices via the Safe Browsing feature.
But while Google has anonymized URL strings, by sending the link in a cropped and hashed state, Google still sees the IP address from where a Safe Browsing check comes through.

Apple’s new feature basically takes all these Safe Browsing checks and passes them through an Apple-owned proxy server, making all requests appear as coming from the same IP address.
Many would call the move useless, as Google would still be unable to see what URL the user was checking, but the feature is consistent with other measures Apple has been taking lately, focusing on improving its users’ privacy.
Many of these features have often encroached and disturbed Google’s huge presence in the user analytics and tracking sector.
This includes pioneering broad anti-tracking features in Safari, and forcing app makers to add “privacy labels” to their App Store listings, a requirement that Google has mysteriously avoided by simply not updating any of its apps since last year.
iOS 14.5 is currently in beta and is expected to be released in the coming months. More

Berlin, Germany-based SaaS platform Adjust has released its dating app marketing guide. The guide has benchmarks, spotlights on industry leaders, and has tips on how app developers can retain users by the use of gender targeting, and in-app video streaming.

Over 270 million adults worldwide used dating apps in 2020 and almost two in five (39%) of US adults reported meeting their partner online. However, a major risk to an app’s reputation is the presence of bots on the platform which frustrate the users or exposes them to scams. Fake accounts are generated on a huge scale to engage users and spread spam, link to illicit or explicit sites, or lure people into scams or faker likes to boost specific profiles.
Adjust’s report shows that dating app installs and sessions are at their highest on weekends — Saturdays, in particular. App session length tends to spike early for dating apps, suggesting that users download the app, and quickly match with potential partners.
The buzz and excitement of the app start to drop off toward day 30. Additionally, the report shows that Europeans spend significantly more time in-app than North American or Asian consumers.
Sensor Towers
US dating app downloads have grown to reach a hew high in Q1 2020, despite COVID-19, according to Sensor Towers’ State of Dating apps report, which also shows that younger users are turning to dating apps during the pandemic.
Although the average age for dating apps steadily declined in recent years, the COVID-19 pandemic accelerated this trend in early 2020. The average user age among the top dating apps was around 27.2 years old during the first three quarters of 2020 before jumping back up to 28.2 in Q4. School closures and social distancing orders increased demand among a younger user base.
Unfortunately, dating apps are a hotspot for fake accounts that are trying to scam you. Adjust’s Unbotify feature shows that bots can interact with up to 4,000 profiles within one session. In 2019, the FBI received over 467,000 cybercrime complaints that caused over $35 billion in losses. Approximately 19,473 of those were victims of confidence or romance scams.

So, how can dating app developers reduce the risk for their users? Well, apart from designing the app so that it does not use location-specific advice to track user movements, app developers could include a ‘report’ button so that users can point out when they have interacted with a bot so that it can be eliminated from the platform.
Developers can also use biometric indicators to differentiate bots from real human users and eliminate them from the platform. Users should get smarter about who they interact with and how much information they give away.
You never know, that fabulous potential new partner might be a bot designed to trick you out of your money and break your heart, too. More