Information Technology

The owners of a popular barcode scanner application that became a malicious nuisance on millions of devices with one update insist that a third-party buyer was to blame. 
Earlier this month, cybersecurity firm Malwarebytes explored how a trusted, useful barcode and QR code scanner app on Google Play that accounted for over 10 million installs became malware overnight. 
Having gained a following and acting as innocent software for years, in recent months, users began to complain that their mobile devices were suddenly full of unwanted adverts. 

ZDNet Recommends

Barcode Scanner was fingered as the culprit and the source of the nuisanceware, tracked as Android/Trojan.HiddenAds.AdQR. The researchers tracked malicious updates as the reason — with aggressive advert pushing implemented in the app’s code. 
The app’s analytics code was also modified and updates were heavily obfuscated. 
Malwarebytes said the owner, Lavabird Ltd., was likely to blame, due to the ownership registration at the time of the update. Once reported, the software was pulled from Google Play.
At the time, Lavabird did not respond to requests for comment. However, the vendor has now reached out to Malwarebytes with an explanation for the situation. 

On February 12, Malwarebytes said that Lavabird blamed an account named “the space team” for the changes following a purchase deal in which the app’s ownership would change hands. 
Lavabird purchased Barcode Scanner on November 23, and the subsequent space team deal was agreed on November 25.
While the research team has been unable to contact “the space team,” Lavabird told Malwarebytes on February 10 that they were “outraged no less,” and Lavabird only acted as an “intermediary” between “the seller and the buyer in this situation.” 
According to Lavabird, the firm develops, sells, and buys mobile applications. In this case, the company insists that the space team buyer of Barcode Scanner was allowed access to the Google Play console of the app to verify the software’s key and password prior to purchase. 
It was the buyer, Lavabird says, that pushed the malicious update to Barcode Scanner users. 
“Transferring of the app’s signing key when transferring ownership of the app is a legitimate part of [the] process,” the researchers commented. “Therefore, the request by “the space team” to verify that the private key works by uploading an update to Google Play seems plausible.”
After the update was performed, the app was transferred to the buyer’s Google Play account on December 7. However, Malwarebytes says that at the time of the malware update, ownership still belonged to Lavabird. 
The first malicious update took place on November 27 and subsequent updates obfuscated the malware’s code, up until January 5, before the app was unpublished. 
Lavabird did not verify the buyer, who was found through “word of mouth.” However, the company did say that “this lesson will remain with us for life.” 
“From my analysis, what appears to have happened is a clever social engineering feat in which malware developers purchased an already popular app and exploited it,” commented Malwarebytes researcher Nathan Collier. “In doing so, they were able to take an app with 10 million installs and turn it into malware. Even if a fraction of those installs updates the app, that is a lot of infections.  And by being able to modify the app’s code before full purchase and transfer, they were able to test if their malware went undetected by Google Play on another company’s account.”
If true, and this is a claim accepted by Collier, the case highlights an interesting way for threat actors to exploit app developers, traders, and test the exposure of malware on Google Play through established and trusted user bases. 
“We are very sorry that the application has become a virus, for us it is not only a blow to our reputation,” Lavabird told Malwarebytes. “We hope users will remove the app with a virus from their phones.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Choosing a VPN can be a little bit of a chore. First, you’re going to need to research and figure out which VPN is going to work for you. Then you’re going to want to go through a trial run. But then the real test comes, you need to see how fast that trial goes with your internet once the VPN is set up to your machine and your network. Beth Mauder sits down with David Gewirtz to talk about the research and legwork David has done to come up with the fastest VPN on the market.
Watch my conversation with Gewirtz above, or read a few of the highlights below.

Beth Mauder: Why don’t you go ahead and walk us through what those tests look like?
David Gewirtz: So there’s a variety of ways to figure this thing out, but remember that everybody’s VPN is going to be a little different because you’re in a different location. You’re on the East Coast, for example, I’m on the West Coast. People are in different countries and they’re usually using VPNs to move them to yet other countries. So your performance is going to be a little different. 
From my set of tests, and I tested five VPNs over the course of about two weeks, I started with a raw Windows install, so that everything was consistent across each individual test. And then for each install, what I would do is do tests to a variety of countries, and when possible, repeat the vendor, the ISP in each of those countries. So I tried India, and Sweden, and Taiwan, and Russia, and either Australia or New Zealand, and tried to get out to those countries for each of the VPNs I tested. And then tested upload speed, download speed, and latency and ping time.
I also tested how long it takes to establish the connection because it turns out that some of them take quite a bit longer to connect to the VPN than others. And that can get annoying, especially if you’re connecting on and off in different places. So that was the sum total of the test. So what I did is I repeated them three times for each test, and then I averaged the results to try to get some level of consistency. And it’s a pretty rote process. You just set it up and you run the tests and you record the numbers and put them together into, in my case, a big spreadsheet, which then got turned into charts, which were a lot more fun.
Must read:

Beth Mauder: David, after all of your testing, what were some of the fastest VPNs you can currently get?
David Gewirtz: So I was very surprised. The fastest VPN for download that I found was a product called Hotspot Shield. And what surprised me about Hotspot Shield is they were very hypey in their promotion. They were the kind of company that you didn’t expect to live up to their promises because they were just so full of words, “The best, we’re the greatest, love us, best thing since sliced bread.” It turned out they were substantially faster. And actually, most of my performance to other countries was faster than it was with a direct connection to the other country. So that was an outlier. I was very surprised by that. Then we had CyberGhost was pretty quick. NordVPN was quick. Then StrongVPN and IPVanish wrapped up the set of the five that I did in my own testing.
And I also aggregated tests from around the internet. And that gave me a much better picture. And I’ll talk about that in a second. But from my own personal tests of those five, Hotspot Shield, CyberGhost, and NordVPN were the fastest for download speeds. In terms of ping time, CyberGhost and  NordVPN were the winners for how long it just took to send one signal to the remote site and get it back. That’s what ping time is. It’s I touch that site, I get back a response, and that’s a very quick response. And then time to connect, NordVPN and CyberGhost were slowest, and Hotspot Shield, IPVanish, and StrongVPN were the fastest.
So we’re looking at a range from about two seconds to 16 seconds per connection. So you push your little button and you start to connect and you wait, and you wait, and you wait, and you wait, and then you get your connection. If you’re doing this a lot, if you’re going from airport location to airport location each time you’re reconnecting, then you want the one with the fastest ping connection. If you’re doing it once for your day, then you don’t really care.
Must read:
Beth Mauder: So you said you looked at other sites too, and you aggregated data from elsewhere. Were your tests confirmed? Did you look for something else? What’d you find?
David Gewirtz: One of the things I did was I looked at 10 sites besides ZDNet, and most of them had lists of their top 10 or so VPNs. I eliminated anyone that only had one VPN reviewed or two VPN review because I wanted to see performance across the world. And the purpose of looking at these sites was that every testing, every site that did these tests was in a different location doing different performance. So if we were able to look at each of these different sites, and then see what was consistent across all their results, we’d get a better picture. So what we found was that ExpressVPN, NordVPN, and Hotspot Shield were the top three across all of the sites we looked at. But what was interesting was what’s called the standard deviation, which is the difference between the results, your how many highs and how many lows you have.
It turned out that NordVPN’s difference was very low. They were mostly ones and twos, where Hotspot Shield had a bunch of ones and a bunch of sixes. So what that tells me is that that performance is consistent in certain locations, but not consistent in other locations. And the same applies to a few of the others. So what we found was that if you’re looking for the truest, most consistent set of results across all 10 plus ZDNet sites, then NordVPN was the fastest and the most consistent. If you’re looking for what was just the fastest, but not as consistent across all the test points, then Hotspot Shield showed up pretty well as did  ExpressVPN.
So from that, what do you take out of it? Well, the fact is almost all of these companies have 30 to 45-day money-back guarantees. And the reality is your mileage is going to be different from everybody else’s. Your mileage may vary. So what you really need to take out of this is you need to test it in that 30 to 45 days and find out how it performed for you, especially if you’re just at home and you’re working from home, then that’s easy. But if you’re traveling between home and office, or you’re going to your favorite coffee shop, if they still exist, or you’re going to the airport and you’re allowed to do that, you should test in those environments because that’s the kind of environment you’re working in, and see whether you’re getting the numbers you need. Because really, the bottom line is what our tests can eliminate, you’re having to look at the 500 VPNs out there and narrow it down to, say, three or four to start with. But you should check those three or four for what works best for you.
Must read:
Beth Mauder: Anything else, David?
David Gewirtz: I would say that things to look at, and if you’re looking at choosing a VPN, you want to look for a VPN that has something called a kill switch. What that means is, is that if the VPN ceases to function, it doesn’t just let your data go out. What it does is it shuts off your internet connection. That’s a really important thing to keep in mind. Because again, if you’re in a coffee shop somewhere and the VPN itself quits for some reason, without the kill switch, now your data is free and open to go out to everyone. What you want is to have it decide, “I don’t have a connection. I am just going to shut you on down.” And that way, you’re careful about that. Other things to keep in mind are what you’re using the VPN for. Are you using it just to protect your login information? Or are you using it because you’re concerned about stalkers or you’re an activist or something like that?
If you’re just protecting your own information and you’re in a coffee shop, then most of these VPNs will do fine for you. If you are using the VPN to protect your life, then you need to do additional research. No one of these articles will be enough. You need to go onto forums. You need to go to groups that are like you to see what they say and what they experience. Because many people, well, not many people, but a significant percentage of people use VPNs to protect their lives in certain ways. And for that, be more serious than just reading one review.

ZDNet Recommends More

Dutch police have posted “friendly” messages on two of today’s largest hacking forums warning cyber-criminals that “hosting criminal infrastructure in the Netherlands is a lost cause.”
The messages were posted following “Operation Ladybird,” during which law enforcement agencies across several countries intervened to take down Emotet, one of today’s largest botnets.
Dutch police played a crucial role in the Emotet takedown after its officers seized two of three key Emotet command and control servers that were hosted in the Netherlands.
But today, Dutch police revealed that after the Emotet takedown, its officers also went on Raid and XSS, two publicly accessible and very popular hacking forums, and posted messages in order to dissuade other threat actors from abusing Dutch hosting providers to host botnets or other forms of cybercrime.
A message in English was posted on Raid, a forum popular with stolen data traders, and a second message, in Russian, was posted on XSS (formerly known as DamageLab), a Russian-speaking forum where hackers rent access to malware-as-a-service operations, and a forum usually frequented by today’s top ransomware gangs.

Message posted on the Raid forum by Dutch police
Image: Dutch police

Message posted on the XSS forum by Dutch police
Image: Dutch police
The messages, as can be seen above, warn hackers that “hosting criminal infrastructure in the Netherlands is a lost cause” and that Dutch police plans to continue seizing their infrastructure.
A link to a YouTube video was also included, a video that ends with a message from Dutch police that says: “Everyone makes mistakes. We are waiting for yours.”
[embedded content]

The aggressive messages aren’t a surprise, at least for cyber-security experts, most of which are well aware of the Dutch police’s aggressive stance.
Over the past years, Dutch police have been at the center of many botnet takedowns, big and small. They arrested the owners of two web hosting providers that commonly hosted DDoS botnets, took down 15 different DDoS botnets in a week, moved to intercept encrypted BlackBox cryptophone messages, shut down Ennetcom for providing encrypted chat support for cybrecrime groups, and have aggressively hunted phishers, malware operators, and users of DDoS-for-hire services.
Dutch police are also currently at the heart of a mass-uninstallation operation to remove the Emotet malware from infected hosts, together with German police. More

LastPass has announced some big changes to its free offering, making the service much more restrictive for people who want to access their passwords across mobile devices and computers.
Now, before I go any further, I think it’s worth pointing out that I am a LastPass Premium user. I have been for many years, and I’ve been 100% satisfied with the service, especially for $3 a month.
But I can also understand why you might not be so keen to pay for something that was previously free.
Let’s take a look at what alternatives are on offer to you.

This is a great choice for those in the Apple ecosystem. Save a password on one device, and it’s available on all your Apple devices.
It works well for saving web and app log-in details, but it’s not really suited to other passwords and things like PIN codes.
It’s free, but the cost of entry into the Apple club can hardly be considered free.
View Now at Apple

If you’re a Google Chrome user, then you already have a cross-platform password manager that will work anywhere you have Google Chrome installed and signed in to your Google Account.
It works well for saving web and app log-in details, but it’s not really suited to other passwords and things like PIN codes.
View Now at Google

The free plan allows you to store unlimited passwords, notes, and credit cards and sync them to an unlimited number of devices, but you can only have one active device (in other words, you’ll be logged out of other devices).
The premium plan, which starts at $1.49 a month if you take out a two-year plan, is one of the best-value premium offering out there.
View Now at Nord

Along with a paid service, LogMeOnce offers a free ad-supported service that offers unlimited passwords across unlimited devices. You can also get a password generator, and the ability to store three credit cards.
View Now at LogMeOnce

While being part of a much bigger suite, Zoho Vault is offered as a free password service with unlimited passwords across unlimited devices, as well as premium features such as two-factor authentication and a password generator.
View Now at Zoho

Not a cloud-service, but a free, open source, lightweight and easy-to-use password manager for Windows. Not using Windows? There are unofficial ports for a variety of platforms (make of that what you will), including Android, macOS, iOS and iPadOS.
I’ve used KeePass in the past, but the absence of cloud syncing and automatic syncing across multiple devices makes it harder work to use.
View Now at KeePass

ZDNet Recommends More

[embedded content]
A small library that provides audio and video calling capabilities contains a bug that can allow attackers to join audio and video calls without being detected.
The bug —discovered by security firm McAfee, and tracked as CVE-2020-25605— impacts the software development kit (SDK) provided by Agora, a US company specialized in providing real-time communication tools.
Apps that use this SDK for audio and video calling capabilities include the likes of MeetMe, Skout, Nimo TV, temi, Dr. First Backline, Hike, Bunch, and Talkspace.
In a report published today, McAfee says that the Agora SDK does not encrypt details shared during the process of setting up a new call, even if the app has the encryption feature enabled.
Any attacker sitting on the same network as a targeted user can intercept the traffic in the initial phases of a call, extract various call identifiers, and then join the call without being detected.
Image: McAfee
McAfee said it discovered this issue last year, in April, during a security audit for temi, a personal robot used in retail stores, which also supports audio and video calling.
A subsequent investigation also found clues that this behavior also impacted other apps using the SDK, and the security firm said it notified Agora of its findings.

Steve Povolny, Head of Advanced Threat Research at McAfee, told ZDNet in an email last week that they notified Agore of their findings and that the company responded by releasing a new SDK in December 2020 that was not vulnerable to CVE-2020-25605.
“While we don’t know which of these apps have implemented the new SDK, we can confirm that Agora has released the SDK and has followed up with its developers to urge them to implement the update,” Povolny told ZDNet.
An Agora spokesperson did not return a request for comment.
Agora-based apps have tens of millions of downloads on the Play Store alone; however, McAfee said they found no evidence that the bug was abused in the wild to spy on conversations. More

Everyone needs a password manager. Period, full stop. It’s the only possible way to maintain unique, hard-to-guess credentials for every secure site that you, your family members, and your team access daily.

ZDNet Recommends

The six programs listed in this guide all offer a full set of features in exchange for a monthly or annual fee. Although some offer a limited free plan, our evaluation is based on the full feature set available with a paid subscription.
All of the programs run on Windows or Linux PCs, Macs, and mobile devices. To get started, you install a stand-alone app or browser extension and sign in to your account. The app does the work of saving sets of credentials in a database whose contents are protected with high-grade, 256-bit encryption. To unlock the password database, you enter a decryption key (your master password) that only you know. The browser extension or app handles the work of automatically filling in credentials as needed.
Different password managers have different user experiences and different feature sets, but all offer subscribers a similar set of core features: 
A password generator that puts together a combination of upper- and lower-case letters, numbers, and symbols. 
Secure sharing of passwords with trusted contacts. 
Form filling, including the option to automatically enter credit card details. 
Secure notes.
A sync engine that replicates the database across devices, using a cloud service or a local host.
Password managers that sync the saved password database to the cloud use end-to-end encryption. The data is encrypted before it leaves your device, and it stays encrypted as it’s transferred to the remote server. When you sign in to the app on your local device, the program sends a one-way hash of the password that identifies you but can’t be used to unlock the file itself.
What we looked for 
In putting together this list, we looked at third-party reviews and opinions from security experts, with a goal of finding the broadest possible selection of products from established developers. We supplemented that knowledge with our own hands-on experience.
Four of the password managers in our list offer free versions, typically with some limitations and an option to upgrade to a paid subscription for additional features. All offer both personal and business versions of their products, and some offer family subscriptions that allow multiple user accounts with the option to grant access to credentials for shared services. If you prefer open source software, look at BitWarden, which offers an excellent free version as well as subscription options.

Our capsule descriptions are not intended to be comprehensive but rather are designed to help you create your own shortlist. After you narrow down possible contenders, we encourage you to look at the feature table for each one to confirm that it meets your needs, and to take advantage of free trial options before settling on your final choice.
Because security is such an important feature of a password manager, we’ve tried to address the key question many of our readers ask: Where is your data stored? All of these commercial products offer a cloud sync option; some also include the option to save and sync files locally, so you don’t have to trust your online keys to someone else’s infrastructure.
And rather than summarize the encryption and data handling precautions each developer takes, we’ve included a link to their online security page so you can read that information and decide for yourself whether you trust their design and encryption decisions.

Free version supports unlimited devices per user

Security details are here.
LastPass, which has been a member of the LogMeIn family since 2015, is one of the best-known brands in a very crowded field, largely because for years its free edition offered a robust set of features and supported an unlimited number of devices per user. That policy changed in March 2021, when the company revised its offerings to require a paid plan for use on both mobile devices and one or more personal computers. The company’s personal and business product lines work on all major desktop and mobile platforms and browsers. The service is cloud-based only, with files stored on the company’s servers and synced to local devices.
The Premium version ($36 a year), besides enabling cross-platform support, adds a few extra features, such as advanced multi-factor authentication options, 1GB of encrypted file storage, and the capability to designate a trusted contact for emergency access. The family plan, which covers up to six users, costs $48 a year and includes a management dashboard. Business plans start at $48 per user per year. 
View Now at LastPass

Fewer than 50 passwords? This free version will do

Security details are here.
Dashlane doesn’t have the longevity of its chief rivals, but it’s been around long enough to earn a reputation for ease of use. Apps are available for Windows PCs, Macs, Android, and iOS. If your password database includes fewer than 50 entries and you only need to use the software on a single device, you can get by with the free version, which also supports two-factor authentication. Dashlane does not offer a family plan, but it does support sharing of passwords between accounts.
The $60-per-year Premium version removes limits on the number of saved passwords and synced devices and includes a VPN option. The $120-per-year Premium Plus bundle adds identity theft insurance and credit monitoring. Business plans include the same features as Premium, at $48 per user per year, with provisioning and deployment options as well as the capability to segregate business and personal credentials. (All prices require annual billing.) 
View Now at Dashlane

Allows an unlimited number of saved credentials

Security details are here.
Sticky Password was founded in 2001 by former executives of AVG Technologies, which was a pioneer in the freemium category for security software. True to their roots, this password manager offers a full-featured free version that works on all major device categories and browsers, allows an unlimited number of saved credentials, and supports two-factor authentication and biometric sign-in.
The $30-per-year premium version includes the ability to sync between devices, using either the company’s servers or a local-only option using your own Wi-Fi network. It also supports cloud backups and secure password sharing and includes priority support. If you’re really committed to the service, you can purchase a lifetime subscription for $200. 
View Now at Sticky Password

Business accounts cost $96 per user per year

Security details are here.
Although this product earned its reputation on Apple’s Mac and iOS devices, it has embraced Windows, Android, Linux, and Chrome OS as well; the 1Password X browser extension fills in credentials, suggests passwords, and provides 2-factor authentication in Chrome, Firefox, and Microsoft Edge. After an initial 30-day free trial, a 1Password personal subscription costs $36 per year; a five-user family subscription costs $60 annually.
1Password works best when its data files are synced from 1Password’s servers, but you also have the option to save passwords locally and sync the data file with your own network or a Dropbox or iCloud account. (The company boasts that it does no user tracking of any kind.)  1Password Business accounts add advanced access control, with activity logs and centrally managed security policies, cost $96 per user per year and include 5GB of document storage (compared to 1GB for personal accounts) plus a free linked family account for each user. 
View Now at 1Password

$60-per-year bundle adds KeeperChat encrypted messaging

Security details are here.
Founded in 2011, Keeper has probably the widest assortment of products of any developer in this guide, with separate offerings for personal and family use, business, enterprise customers, and managed service providers. Personal plans start at $30 a year for Keeper Unlimited, which (naturally) allows storage of an unlimited number of passwords and syncs them on an unlimited number of devices.
A $60-per-year bundle adds the KeeperChat encrypted messaging program, secure file storage, and a breach monitoring service that scans saved passwords to find any known to be compromised. The family version of each plan doubles the cost and supports up to five users. Keeper stores synced data files on the Amazon Web Services cloud. Student plans are half-off the listed prices. 
View Now at Keeper

Core features are “100% free”

Bitwarden brags that its core features are “100% free,” and that’s not an idle boast. That free version has none of the limitations associated with commercial software. Instead, the paid versions ($10 per year for a single user, $40 annually for a family of up to 6) adds advanced features like a built-in TOTP authenticator and two-step login with a hardware key.
The source code for Bitwarden is hosted on GitHub, with separate repositories for desktop, server, web, browser, mobile, and command-line projects. It has all the checklist features of commercial personal password managers, including secure cloud syncing. If you’re uncomfortable with storing your passwords in the Bitwarden cloud, you can host the infrastructure on your own server, using Docker.
View Now at Bitwarden

ZDNet Recommends More

In my previous post about blockchain and cryptocurrency, I discussed why I thought Tesla was making such a substantial investment in Bitcoin and allowing the cryptocurrency to be used for car purchases in the future. The balance of its revenue stream, which comes from selling surplus Renewable Energy Credits (RECs), will dry up in the next several years as competing automakers can produce their own Zero-Emission Vehicles (ZEVs) and build up their own RECs with states that require them.

Allowing its customers to purchase vehicles entirely or partially with Bitcoin is potentially one way of differentiating Tesla from other auto manufacturers. But this in and of itself is not a sustainable business strategy. 
Perhaps Elon Musk has another, even wilder business plan for Tesla over the long-term — a plan just as crazy ambitious as building giant reusable space rockets that can land on their tails.
Your solar roof: The ultimate idle money game
Besides cars, Tesla’s other significant business involves solar panels, solar roofs, and batteries. The batteries are used in their cars and provide power storage for their residential solar systems, sold as the Tesla Powerwall.
In most states where residential solar is installed, surplus energy from the arrays can be fed back into the grid where the local power company will “net meter” or prorate a customer’s electric bill based on what they generate into or draw from the system. Based on a customer’s consumption and how much a solar system produces, there will be a surplus or a deficit.
Powerwalls can store that surplus energy and power various things in your home, including air conditioners, and charge your Tesla EV.
But suppose Tesla added a capability to its on-premises solar energy/battery energy management computer built into its inverter system or the Powerwall that would give it GPUs for mining cryptocurrencies? These are already connected to home Wi-Fi. They have a management app, so upgrading it with Wi-Fi 6 and attaching it to a cryptocurrency network and an easy-to-use mobile app for cryptocurrency account management would be an achievable systems integration effort for Tesla, given the company’s considerable engineering resources. 

Also: Going solar in the Sunshine State: Why the investment makes sense now 
It would then be possible for your home to become the ultimate idle money-producing game — you would generate actual Bitcoins with the surplus energy your solar system makes. That might be more lucrative than getting the net metering discount from your power company, which is not incentivized to be price competitive with your solar system’s energy output, as most of these companies are paying Time-Of-Use (TOU) pricing for your power generation.
If you have a large enough solar array and you live in a state with plenty of sunshine — and assuming Tesla comes up with an easily expandable, modular design (perhaps even as an add-on product for Powerwall) — you could add a whole chain of these GPUs to your solar computer and make a decent amount of crypto.
That makes the prospect of installing solar in your home a lot more attractive if you figure the Tesla roof, on average, will cost $50,000 to $75,000, not counting government tax incentives.
All Tesla needs is a simple app interface to point and click which cryptos you want to mine, API integration with a currency exchange for cash conversion, and, presto, everyone with a solar roof is in the crypto business. 
Why Tesla and GPUs
To execute this plan, Tesla would need a power-efficient GPU that requires minimal cooling (perhaps fanless, or even water-cooled). If these GPUs are colocated with the Inverter/Powerwall, they would have to operate in environments that could get as hot as inside a garage during summer months or inside a housing mounted on the outside of your home, unless they are physically networked and placed inside the house and tied into the Inverter or Powerwall’s power distribution system.
Where would Tesla get such a thing? And why would the company suddenly decide to do this? The idea to use GPUs to mine cryptocurrency when its products are idle during a charge phase or generating surplus energy almost certainly arose during the development of its cars’ autonomous driving feature and benchmarking the onboard computing hardware’s capabilities.
In 2019, the company held an Autonomy Investor Day and claimed that it had switched from NVIDIA GPUs in its vehicles to chips of its own design in the model S, X, and Model 3 cars. At the time, the company’s director of silicon engineering, Peter Bannon, stated:

So here’s the design that we finished. You can see that it’s dominated by the 32 megabytes of SRAM. There’s big banks on the left and right and the center bottom, and then all the computing is done in the upper middle. Every single clock, we read 256 bytes of activation data out of the SRAM array, 128 bytes of weight data out of the SRAM array, and we combine it in a 96 by 96 small add array, which performs 9,000 multiply/adds per clock. At 2 gigahertz, that’s a total of 3.6 — 36.8 TeraOPS.
We had a goal to stay under 100 watts. This is measured data from cars driving around running a full autopilot stack. We’re dissipating 72 watts, which is a little bit more power than the previous design, but with the dramatic improvement in performance, it’s still a pretty good answer. Of that 72 watts, about 15 watts is being consumed running the neural networks.
In terms of costs, the silicon cost of this solution is about 80% of what we were paying before. So we are saving money by switching to this solution. And in terms of performance, we took the narrow camera neural network, which I’ve been talking about that has 35 billion operations in it, we ran it on the old hardware in a loop as quick as possible and we delivered 110 frames per second. And we took the same data, the same network, compiled it for hardware for the new FSD computer, and using all 4 accelerators, we can get 2,300 frames per second processed, so a factor of 21.

In 2021, the GPU used in Tesla’s latest vehicles is even more ambitious. The newest Model S (and, supposedly, the X) EVs uses a custom AMD RDNA 2 GPU with 10 teraflops of computing power, which puts it on par with some of the most powerful console gaming systems on the market like the Sony PS5. With an onboard system like this, you wouldn’t even need a GPU-equipped Powerwall; when the vehicle is being charged, it could be used to generate cryptocurrency as well.
The business opportunity
So, Tesla certainly has plenty of experience with GPUs, but can it use them as a key differentiator from other automakers and solar technology companies like Enphase Energy, Samsung, LG, and Panasonic, the current market leaders in the solar space?
While sleeker and more tightly integrated, Tesla’s solar roof is more expensive than competing solutions, and that’s been hampering adoption. Its solar roof solution is currently only more competitive in scenarios where an entire roof has to be replaced.
Having a roof that generates income for the consumer when using surplus energy could be a significant selling point, mainly if a substantial portion of the cryptocurrency income could be applied to the financed cost of the solar panels or the payments on a Tesla vehicle. If it brings down the equivalent price of a Model S from $75,000 to $65,000 throughout a five-year finance term, or a $50,000 Model 3 to $40,000, that’s a good incentive. It also makes a payoff of a $70,000 roof that much quicker of a return on investment, even if the GPU piece adds a few thousand dollars to the purchase price.
Tesla could also pro-rate the expense of the roofs (and the vehicles) by effectively leasing the GPUs’ space in each home (or at commercial business where the roofs or solar cells are installed) and keep the balance of the crypto income for themselves.
Also: Scallops, vaccines and Tesla: The wild world of blockchain and cryptocurrency
And if you bought that vehicle or that roof or panels in cash? That vehicle’s GPU or the solar roof GPU stack (assuming you can add several just as you can with multiple Powerwalls) should be building assets for you that increase in value. Tesla shouldn’t get to keep any of it.
However, instead of using the cryptocurrency generated by the systems to pay off fiat currency-based financing, it is more likely that it could be used to build up “credits” in an escrowed account Tesla would honor toward future purchases. Tesla itself would keep the cryptocurrency income, like Bitcoin, Dogecoin, or whatever instrument the GPUs generate — but the consumer would have loyalty points accumulated. If a new car costs 100,000 loyalty points, and over five years, your roof and your vehicle generate 30,000, that could be used towards your next vehicle purchase — locking you into that ecosystem.
Is Tesla going to differentiate from other solar and auto manufacturers by using automotive and solar energy compute GPUs to generate cryptocurrency? Talk Back and Let Me Know.

Innovation More

Research suggests as many as one in five businesses are now using technology capable of monitoring worker activity. 
Image: Getty Images/iStockphoto
Finding effective ways of managing remote workers will be a priority of many businesses in the months to come, as new styles of working spurred by COVID-19 settle into long-term trends.
While many organizations have been able to keep teams running successfully using a hodgepodge of email, messaging apps and video-conferencing software, managers that want more visibility of their remote workers have started looking towards more comprehensive means of keeping a detailed track of what employees are up to. That means a renewed interest in remote management and monitoring software.

Remote monitoring software is often sold as a tool for helping employers track productivity and as a means to help managers identify areas where workplace processes can be improved – something high on the agenda for businesses looking to make flexible working a permanent fixture.
SEE: Guide to Becoming a Digital Transformation Champion (TechRepublic Premium)
These technologies provide a variety of capabilities that can give employers a remarkable insight into how employees use their time while at work, including the websites they visit, the apps they use, and in some cases include the ability to record their keystrokes and desktop sessions. 
According to research from Skillcast and YouGov in December 2020, as many as one in five businesses are now using technology capable of tracking workers’ online activity, or have plans to do so in the future. In a separate study by the UK’s Trades Union Congress (TUC) in November, one in seven employees reported that their workplace had increased monitoring and surveillance since the start of the pandemic.
While businesses may have legitimate reasons for wanting to introduce activity-tracking software, particularly in those industries that handle high-value data on a day-to-day basis, some have raised concerns over what the slow creep of this technology into the remote-working environment means for employee privacy, particularly as the boundaries that separate work and private life become even more blurred.

“I think there are huge questions around how technology is changing our relationship to work and with employers, but also the speed at which it’s being introduced,” says Andrew Pakes, direction of communications and research at professional trade union Prospect.
“During COVID-19, we’ve seen this growing interest in the use of digital technology to support remote working, and in many ways, that’s been a real benefit to support and connect people. But alongside the positive use of technology, we’ve seen this worrying trend of intrusive surveillance, and a rush to use these new forms of software.”
Prospect has been vocal in its pursuit for clearer guidance around the use of remote monitoring software, and what more widespread introduction of the technology into businesses means.
Research carried out by YouGov on behalf of Prospect last year suggested that two-thirds of employees were uncomfortable with the notion of employers recording information like screenshots and keystrokes while they were working from home.
Since then, the union has called on the UK Information Commissioner’s Office (ICO) to provide further clarity on what worker’s rights are when it comes to the data employers collect on them, as well as ensure that workers can have a say in the conversation around workplace technology.
Pakes calls the practice of monitoring employees “a discreet discussion that too often happens in procurement and board rooms”, but far away from employees themselves.
“The law is clear that workers have a right to be informed if their data is being collected for surveillance purposes, and we have a right to be consulted. Our worry is that, too often, that consultation involvement isn’t happening,” says Pakes.
“We’re saying two things. One, the ICO needs to provide greater and clearer guidance so that workers can see what their rights are. Secondly, we really need to start picking up and looking at where the gaps exist in existing legislation.”
What does GDPR say?
The ICO’s Code of Employment Practices warns that businesses risk breaching the General Data Protection Regulation (GDPR) if they begin monitoring employees without proper authority. 
It also states that workers should be left with a clear understanding of when information about them is likely to be obtained, why it is being obtained, how it will be used and to whom – if anyone – it will be disclosed.
“If monitoring is to be justified on the basis that it is necessary to enforce the organization’s rules and standards, [these] must be known and understood by workers,” the guidance reads. And yet, in TUC’s November survey, fewer than 1 in 3 (31%) employees said they were consulted when new forms of technology were introduced to the workplace.
There are six lawful bases for processing personal data under GDPR: clear consent from the individual in question; legal obligation; vital interest to the individual; public interest; contractual obligation as well as legitimate interest of the data controller.
Sarah Pearce, privacy and cybersecurity partner at global law firm Paul Hastings, says this is where things can get murky for remote monitoring tools, particularly those that collect anything that could be deemed as sensitive or personal data under GDPR.
“When it pushes into the border of special category and sensitive data, then there is more of an issue, because there are certain additional conditions in Article 9 of GDPR that need to be satisfied,” she tells ZDNet.
Pearce also finds that companies are increasingly seeking to justify remote monitoring tools under the grounds of ‘legitimate interest’ under GDPR. “From speaking to my employment colleagues, it is very difficult to find a legal basis to justify monitoring in that way,” she says.
Using the consent mechanism can also be problematic for employers. “There is a big issue with using consent in the employment context. Generally speaking, you cannot use the consent mechanism in an employment context, because it’s seen as being an unfair balance of power,” says Pearce.
Employees not ready
Certainly not all staff are comfortable with such monitoring. Microsoft faced criticism from privacy advocates who took issue with its Productivity Score feature for Microsoft 365. The tool analysed how users within an organization used Microsoft 365 products and then assigned them an overall “productivity score” based on how often they engaged with things like meetings, email and messaging apps.
The outcry mainly stemmed from the fact that Productivity Score showed analytics for individual employees that could potentially be used by managers to judge their performance. Microsoft subsequently pared back the tool by removing the ability for admins to view data on named employees.
Microsoft 365 corporate vice president, Jared Spataro, later clarified that Productivity Score was not designed as a tool for surveillance, but rather to help businesses identify how users were working within its software suite and help them run remote-working environments more successfully.
SEE: Top 100+ tips for telecommuters and managers (free PDF) (TechRepublic)
Regardless of employee attitudes to these kinds of tools, the fact that Microsoft is making moves in this space is enough to set alarm bells ringing for Pakes, who sees it as a sign that the technology is moving into the mainstream.
“If Microsoft is introducing tools that can be used for work-based surveillance, then lots of other software products will be offering similar forms of monitoring that employers can use,” he says.
“It was sold as a really exciting product for employers, that you could check what your workers are doing. That sets alarm bells off to me. What is says is that workers don’t have a seat at the table when these issues are being discussed, either by big software companies or inside businesses, and that we need to get a better understanding of what the power of these tools are.”
A booming business
Both employers and employees agree that remote working, or at the very least a combination of both at-home and office-based working, is going to form the foundations of the post-COVID work economy. It stands to reason, then, that more organizations will be looking for tools that can make this sustainable in the long-term, by leveraging the kind of insights that can be enabled by analytics and reporting capabilities – particularly if it offers to fix problems that the rushed approach to remote working has created.
“What businesses want to know right now is really two things. One: what are the employees working on when they are working from home? And two: trying to bring back that level of security that they had in an office environment,” says Eli Sutton, VP of operations at Teramind.
Teramind’s software offers a combination of user productivity monitoring, data loss and threat detection tools for employers who need deeper insight into workplace activity. The company has customers throughout the healthcare, legal, automotive, energy, government and financial industries.

Enterprise Software

Sutton says the software ensures that workers are using company time properly. Teramind can track which websites employees visit and for how long; live-stream and record workers’ desktop sessions, monitor employee keystrokes and read the contents of their email, along with any attachments.
The purpose of the software is two-fold: keeping track of productivity and performance, as well as protecting businesses from any harm they could be exposed to as a result of data leaks, fraud or, in the case of banking and finance, insider trading.
“Typically our customers in the financial sector use the solution on the security side of things: making sure that users who have access to their data don’t either accidentally or maliciously leak information that could cause financial harm or harm to their credibility,” says Sutton.
“On the productivity side, it’s essentially monitoring of websites and applications. From there, you can drill down and see exactly how much time they spend on either these websites or applications, if there are websites or applications that don’t necessarily fit within their company tasks, and how much time was spent on those.”
Sutton explains that features can be enabled or disabled based on what customers want from the software. He also suggests that, for the most part, organizations aren’t using Teramind’s to micromanage employees or call them out for spending too much time on YouTube (although this is something the software can flag).
“The only time it really comes to discussion is if somebody’s really abusing company policy. For the most part, it’s more about making sure the user has all the resources necessary, especially during the work-from-home environment,” he says.
“We’ve found that, for many of our customers, they’ve discovered that particular users were taking longer to complete certain tasks. Through the solution, they found that it was because they were lacking the essential tools while working at home to complete these tasks.”
Whatever your take on the technology is, there is clearly an appetite for it. According to Sutton, Teramind has seen business increase three-fold since the start of the pandemic.
“Even today, with talks of vaccinations and talk of people going back to work, we’re still seeing an increase,” he says.
The right to disconnect
The fact that a large chunk of the professional workforce is now working from home adds another degree of complexity to the debate around remote monitoring software.
In December, the European Parliament voted in support of granting digital workers in Europe a fundamental ‘right to disconnect’ from work-related tasks outside of working hours, without facing consequences from their employers.
In January, MEPs called for this to be enshrined into EU law, saying it was crucial for preventing burnout among workers in a culture that pressured them to be always on – an issue that has undoubtedly been exacerbated by the pivot to working from home.
Pakes argues that the rise of remote monitoring tools, particularly as they move into the home, would make it even harder for workers to disengage from work “This creeping boundary of what is our home life and our right to a private life, I think, is going to be one of the great challenges of this decade,” he says.
“This is a fundamental change, and that’s why we’ve got to ensure that we’re using the rights that we’ve got, but we also have an embracing conversation about, what does it look like for the future?”
Kiri Addison, head of data science for threat intelligence and overwatch at Mimecast, suggests that more invasive forms of remote monitoring and surveillance software risks eroding trust between employer and employee.
“Personally, I think to go to those extremes is probably more damaging for the relationship between the employer and the company,” she tells ZDNet.
“There are cases where, particular employees see it then as a game, they’re trying to get around the monitoring software, and you’re introducing security risks. It’s not a good dynamic, the relationship between the company and the employee, if they see the company as an enemy or someone they have to ‘beat’.
Gartner analyst Whit Andrews shares a similar view, adding that workers may view monitoring attempts as a breach of the “social contract” between employer and employee.
“It’s unsurprising then that we’re beginning to see that workers are not particularly pleased with increased capacity to monitor them,” he tells ZDNet. 
“They’re seriously concerned about this, and their reaction is understandably oriented towards evading the system… When you start talking about monitoring workers in their homes, I think that social contract becomes a little bit harder to defend.”
ICO guidance makes clear that, in all but the most straightforward of cases, employers should perform a Data Protection Impact Assessment (DPIA) to decide if and how to carry out monitoring, and whether monitoring is justified to begin with.
A DPIA can help organizations identify and minimize any risks associated with projects that include processing personal data, particularly those that could pose a high risk to individuals, and are something that Pearce always recommends to clients that are thinking about going down the monitoring avenue.
“A DPIA really is an assessment, evaluation, and in-depth analysis of what you are anticipating doing: what are your reasons, what are your anticipations, and then equally, what is the impact on the individuals? That has to be very in-depth,” she says.
“The ICO has a template standard form. It’s not a requirement that you follow it in that way, but it does set out some suggestions of what you might want to include in a DPIA. Any company looking to do that would be well-advised to have a look at that.”
Current guidance ‘woefully outdated’
Of course, with many organizations having been forced to move to cloud-based working almost overnight, businesses have been left with little time to draw up new technology blueprints for the months and years ahead.
Reports have suggested that some organizations have had to bring forward their digital transformation plans by as many as five years, and that guidance could be slow to catch up.

Last month, Labour shadow digital minister, Chi Onwurah, warned that “guidance and regulation to protect workers are woefully outdated in light of the accelerated move to remote working and rapid advancements in technology,” and called on ministers to provide better regulatory oversight of online surveillance software to ensure people have the right to privacy whether in their workplace or home, “which are increasingly one and the same.”
Speaking to ZDNet, Onwurah says that neither the Government nor the ICO have responded to this dramatic change in our working lives, leaving far too many subject to exploitative practices.
“There is a woeful lack of protection for workers as they bring their work home in this pandemic, and they are also increasingly being subject to unacceptable levels of digital surveillance without their informed consent,” she warns.
An ICO spokesperson told ZDNet that the organization was in the early stages of developing new employer-focused guidance, though didn’t specify whether this would contain provisions for the use of remote monitoring and surveillance software.
“As this work develops, we will be engaging with organizations and seeking their views,” the spokesperson said.
Pakes worries that too much of the ICO guidance is focused on employers, rather than workers themselves. “Yes, the ICO has a role to provide advice to employers, but it also has a role to provide it to workers,” he says.
“The ICO never says we’re going to provide clear guidance for workers so that you can see your rights. They only talk about guidance for employers, and I think we’ve got to redress that balance.”
Technology vs Trust
Clearly, there is a balance to strike in making remote working sustainable for businesses in the long term, while respecting the rights of employees and ensuring that their homes remain safe havens from the demands of work.
Employers will undoubtedly need more visibility over staff who are working on home networks that may be less secure than corporate ones, particularly if they’re regularly dealing with valuable data. But what degree of monitoring this requires – or is perhaps necessary – is another question.
You could argue that employers who are doing the work they’re meant to have nothing to worry about. But the issue doesn’t seem to be in employers having tools to catch workers not doing their jobs, but what it means for trust, transparency and fairness in working environments increasingly governed by analytics.
Employees have already proven that they can be trusted to work from home and still be productive. Is remote monitoring software needed to ensure it stays that way?
“We’ve long argued that workers should have flexibility. What we want to avoid is a return to presenteeism, where people are told they have to be in the office when they don’t,” says Pakes.
“We’ve inverted our economic model over the past year and we’ve proved that many of us can work safely and securely and productively from home.
“If we’re going to be using digital technology to create a kind of national framework for the future of work, we’ve got to ensure that we are amplifying the benefits and having serious conversations about minimizing the risks. And surveillance is one of them.”

Innovation More