A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google’s AdSense program. In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account for suspicious traffic.
A redacted extortion email targeting users of Google’s AdSense program.
Earlier this month, KrebsOnSecurity heard from a reader who maintains several sites that receive a fair amount of traffic. The message this reader shared began by quoting from an automated email Google’s systems might send if they detect your site is seeking to benefit from automated clicks. The message continues:
“Very soon the warning notice from above will appear at the dashboard of your AdSense account undoubtedly! This will happen due to the fact that we’re about to flood your site with huge amount of direct bot generated web traffic with 100% bounce ratio and thousands of IP’s in rotation — a nightmare for every AdSense publisher. More also we’ll adjust our sophisticated bots to open, in endless cycle with different time duration, every AdSense banner which runs on your site.”
The message goes on to warn that while the targeted site’s ad revenue will be briefly increased, “AdSense traffic assessment algorithms will detect very fast such a web traffic pattern as fraudulent.”
“Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended. It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to second AdSense ban that could be permanent!”
The message demands $5,000 worth of bitcoin to forestall the attack. In this scam, the extortionists are likely betting that some publishers may see paying up as a cheaper alternative to having their main source of advertising revenue evaporate.
The reader who shared this email said while he considered the message likely to be a baseless threat, a review of his recent AdSense traffic statistics showed that detections in his “AdSense invalid traffic report” from the past month had increased substantially.
The reader, who asked not to be identified in this story, also pointed to articles about a recent AdSense crackdown in which Google announced it was enhancing its defenses by improving the systems that identify potentially invalid traffic or high risk activities before ads are served.
Google defines invalid traffic as “clicks or impressions generated by publishers clicking their own live ads,” as well as “automated clicking tools or traffic sources.”
“Pretty concerning, thought it seems this group is only saying they’re planning their attack,” the reader wrote.
Google declined to discuss this reader’s account, saying its contracts prevent the company from commenting publicly on a specific partner’s status or enforcement actions. But in a statement shared with KrebsOnSecurity, the company said the message appears to be a classic threat of sabotage, wherein an actor attempts to trigger an enforcement action against a publisher by sending invalid traffic to their inventory.
“We hear a lot about the potential for sabotage, it’s extremely rare in practice, and we have built some safeguards in place to prevent sabotage from succeeding,” the statement explained. “For example, we have detection mechanisms in place to proactively detect potential sabotage and take it into account in our enforcement systems.”
Google said it has extensive tools and processes to protect against invalid traffic across its products, and that most invalid traffic is filtered from its systems before advertisers and publishers are ever impacted.
“We have a help center on our website with tips for AdSense publishers on sabotage,” the statement continues. “There’s also a form we provide for publishers to contact us if they believe they are the victims of sabotage. We encourage publishers to disengage from any communication or further action with parties that signal that they will drive invalid traffic to their web properties. If there are concerns about invalid traffic, they should communicate that to us, and our Ad Traffic Quality team will monitor and evaluate their accounts as needed.”
As of Monday, there have been 15 confirmed coronavirus cases in the United States and one confirmed death of an American. In addition to those patients, US health officials are currently monitoring hundreds of people across the country for the virus. Those infected with coronavirus are exhibiting pneumonia-like symptoms, including fever, cough, and shortness of breath.
Additional resources for tracking the virus include this page from the US Centers for Disease Control and Prevention and another from the WHO. These websites list up to date news on the spread of the virus as well as situation reports and maps of infected areas. Researchers from the University of Oxford, Harvard Medical School, Boston Children's Hospital and Northeastern University have also launched a virus tracking website with real-time updates.
Coronavirus was first reported to the WHO on Dec. 31, with Chinese investigators linking the disease to the coronavirus family of viruses, which also includes the deadly SARS and the Middle East respiratory syndrome (MERS).
Dr. Nancy Messonnier, the director of the CDC's National Center for Immunization and Respiratory Diseases, has maintained the position that the public risk from coronavirus in the US right now is still considered low. Messonnier said the strategy behind the US response to coronavirus is to slow it down, not stop it.
"It's important to know that this strategy is not meant to catch every single traveler returning from China with novel coronavirus," said Messonnier, at a previous press briefing. "Given the nature of this virus and how it's spreading, that would be impossible. But working together, we can catch the majority of them."
Nonetheless, financial markets are on edge amid fears of a global pandemic. The DOW Industrial has crashed and rebounded several times over the last few weeks, and Chinese stocks have plunged as the coronavirus outbreak worsens.
Individual technology companies have also reported uncertainty surrounding the Chinese market and the impact of the coronavirus. Apple noted in its first-quarter financial results that the coronavirus outbreak in China is affecting operations, and Google has closed offices and limited business travel. There are also concerns that the broader technology supply chain in China will be disrupted by the virus.
The Mobile World Congress technology conference in Barcelona was canceled due to coronavirus fears and dwindling corporate attendance. A number of high profile companies pulled out of the event before it was canceled -- including Amazon, Facebook, Cisco, Intel, Sony, Nvidia, LG and Ericsson -- and event organizers preemptively banned all attendees from Hubei province.
GnuCash is a free and open-source financing app for Linux. It is the ideal solution for small businesses and personal use. In this article, we shall review its features and let you decide if it fits your needs.
Are you looking for an accounting app for your business? If you do, try out GnuCash, an open-source, free-to-use financing platform for Linux. It is the ideal solution for small businesses. Nevertheless, you can also use it for your personal use.
In this article, we will take a closer look at GnuCash, its installation, and what it has to offer.
Installing GnuCash
The GnuCash installation process on Linux is simple. To install the latest version of GnuCash on Ubuntu, you need to do it using the following command. Installation on other Linux distros and OS can be found on their official wiki page.
sudo apt-get install GnuCash
Alternatively, you can install it directly from the Ubuntu Software Center. All you need to do a search for GnuCash and click the “install” button.
Gnucash in Ubuntu Software Center
Running GnuCash
The first time you open up the app, you will be greeted with a welcome message. It should also ask you to take action based on the following options.
GnuCash Welcome Message
If you are entirely new to the app, then it is always a good idea to choose the third option, “Open the new user tutorial.”
It should open up the “Tutorial and Concepts Guide.”
The tutorial and concepts window
GnuCash isn’t a beginner-friendly one. It has some learning curve, and if you are a beginner who never used it or not a power user, you are bound to struggle with the software. You also need decent financial skills to make good use of GnuCash. Don’t let all of these scare you! Once you’ve learned it properly, it can boost your business finance to a whole new level.
If you choose, “Create a new set of accounts,” you will be redirected to a wizard that walks you through a complete account setup. The steps include the following
New Account Hierarchy Setup
New Book Options
Choose Currency
Choose accounts to create
Setup selected accounts
Finish Account Setup
By using the assistant, you should be able to completely set up the accounts, liabilities, and other sources of expense and income. Once done, you should be able to save the account book as an XML file.
Saving-the-accounts
The last option is importing your accounts to the software. You can import using QIF and OFX format.
GnuCash User Interface
The user interface with GnuCash is simple to work with. All your accounts are listed on the software’s main page. This lets you access them all quickly. Apart from that, it also offers six quick actions at the top (under the main menu). When working with accounts, the steps simplify the workflow. The actions include saving, closing, opening, editing, new, and deleting.
Quick actions just below the main menu
GnuCash Features
To get a better understanding of GnuCash, let’s go through its key features below.
1. Supports different Linux and BSD versions
GnuCash can be installed on various versions of BSD and Linux, including Gentoo, Debian, SuSE, Mandriva, RedHat, Slackware, and Ubuntu (including derivatives thereof).
Besides, it may also be installed on Android, Windows, and Mac. The multi-platform approach is excellent for you as a user as you can manage your accounts across various platforms.
2. Double Entry
The app supports double entry. This means that when a transaction occurs, the amount must first be debited from one account, then credited to another. The features ensure books balance is maintained.
3. Checkbook-Style Register
It comes with a checkbook-style register, a familiar interface for those who worked with finance solutions. It offers custom transaction management. It also supports credit card transactions, routine checks, currency transactions, stock, and income. You can also split transactions, autofill, customize, etc.
4. Reports, Graphs
You can simplify data with reports and graphs. When it comes to charts, you can create Piecharts, Barcharts, and Scatter plots. For reports, it supports Profit & Loss, Balance Sheet, Portfolio Valuation, and more!
5. Scheduled Transactions
With GnuCash, you can create recurring transactions. These transactions can also be customized based on timeline and amount.
6. Income/Expense Account Types
You can also categorize your cash flow by creating income/expense account types.
7. Statement Reconciliation
The app has a reconciling tool that allows you to compare transactions with transactions in bank statements.
8. Advanced Features
GnuCash also comes with a ton of advanced features aimed at power users. These advanced features are useful for small enterprises. For example, it allows businesses to incorporate vendor and customer tracking. You can also manage bills and invoices directly from the app.
Other advanced features include Multiple currencies, Mutual Fund Quotes and Online Stock, and Mutual/Stock Fund Portfolios.
Wanna know tomorrow’s temperature? Don’t visit weather.com to find out, especially if you’re on a mobile device: the website has been compromised by a malicious advertising (malvertising) attack that is scraping personal information from its mobile users. While its purposes are not yet known, security searchers who have already identified and named this strain of malware — alternatively called “
IcePick-3PC
” or “
eGobbler
” — theorize that it originates from a group of organized criminals who are collecting the information for a future attack, or selling it on the Dark Web.In this article, I am going to explain what I found, the methodology behind my discovery and what it all means. First, some background.
Background
Whether they know it or not, most mobile users have encountered adware or malvertising on their smartphones and tablets. If you’ve ever been browsing the web only to end up on a page that looks like this, then you know what I’m talking about:
While malicious ads like this one take a variety of different forms — “spin the wheel” contests, surveys, free giveaways and many others — they all have the same purpose, and that’s to punk whoever clicks on them by:
Covertly stealing personal information (IP address, type of phone, browser, etc.)
Running a payload to take over device functions and install persistent malware
Loading a phishing page to harvest sensitive information from the user (credit card number, login credentials, etc.)
While I’d like to think most people are smart enough not to click on an ad like this, some of them obviously aren’t. Last year, a single malvertising campaign reached 100 million users, and there’s no reason attackers would pay for all that exposure unless some fish were biting.Incidentally, this is when I became interested in the problem of malware in the advertising supply chain, and that’s when I took it upon myself to identify the biggest sources. When starting out, I hypothesized that AdWare mostly spreads through small-to-medium sized publications, and would rarely show up on Alexa 500 sites. Boy was I wrong. Here’s how I figured that out.
Methodology
In the beginning, I searched for infected ads by just visiting the same site over and over again in a desktop browser and scanning the session for malware using Wireshark’s advanced malware analysis. This got pretty tedious after awhile, so I decided to switch things up after a week or two.
Using my rudimentary Python skills alongside the Pyshark packet scanner, I wrote a script to continuously launch web sessions and mark suspicious events based on patterns in the source code. All the weird stuff gets exported to a spreadsheet I can review and analyze afterwards, and since I was primarily interested in mobile malware, I altered the user-agent headers sent to the host to identify as a mobile device.I had a lot more success with this method, and immediately started finding some things that really shocked me — this discovery is just the first. After running my scripts on Weather.com overnight, I woke up to find a significant result. Here’s what I found:
Results
About once out of every thousand sessions (I launched 3,267 in total), a pretty nasty advertisement would load from one of several ad servers. In this instance, the origin was Sizmek, through the AppNexus network:
“serving-sys.com” is a URL associated with Sizmek’s third-party servicesWhen I went to replicate the result in a normal web browser, it looked normal enough — at least for the first few seconds. But then I was redirected to a phishing page typical for IcePick-3PC:
Based on its code and behavior, this page was obviously carrying the
IcePick-3PC
malware, sometimes referred to as ‘
eGobbler
’, which has been written about by security publications from ThreatPost to SCMagazine and Cyware. When it was first discovered in 2018,
IcePick-3PC
was pretty generic adware that would forward users to a phishing page for a “free giveaway”. But recently,
IcePick-3PC
changed tactics. Now — to quote Binary Defense:
if a user stumbles upon a webpage that has a compromised third-party library, the malware runs checks. These checks consist of who the user agent is, the type of device they are operating on, the level of battery it has, and the device’s motion and orientation. After these checks are verified, the malware will connect the infected device to a remoter peer prior to transferring the device’s IP address.
Here’s the scary part: researchers also believe that this malware is being used by an organized crime ring either to prepare for an enormous future attack on targeted users, or to sell collected information on the dark web. So anyone who has visited weather.com from a mobile device in the past few months is now vulnerable to future malicious activity down the road.
Analysis
The whole point of this article is to protect Internet users. I really didn’t expect to find something this awful on an Alexa 500 site like Weather.com, which — based on public stats from similarweb.com — got about 102.6 million visits a month on average, over the past six months. At the rate this ad was showing up (about 1 in 1000 visits as already mentioned), it’s been displayed to at least 53,560 visitors in the last month. And that’s just one malicious ad. Other data showed up in my research which I didn’t have the time to follow up on, and infected ads are a dime a dozen.On the one hand, it’s completely understandable that websites — who depend on third-party advertising to make revenue — fall victim to new malvertising attacks. On the other hand, the fact that this malware has been known about for some time means it’s already on multiple common vulnerability lists (CVEs), so there’s really no reason this should be happening. Either Weather.com hasn’t done anything to protect its users, or its paid someone who has no idea what they’re doing.
Conclusion
Weather.com is not the only website vulnerable to malicious advertising, and I highly doubt it’s the only one running
IcePick-3PC
either. This particular ad was delivered by AppNexus, but I’ve found similar incidents through AdRoll and other networks. All of this indicates a depressingly systemic flaw in the system of programmatic advertising that the Internet depends on: while individual publications may be responsible for what happens to their users, AdTech companies are higher up the chain, and they should be a hard barrier against bad code.Either they’re not aware that this is happening, or they don’t care enough to do anything about it. After all, AdWare doesn’t tend to make headlines — but maybe it should. If it did, networks like AppNexus might be inspired to work harder against well-studied malware, and publishers might look for a solution to prevent hackers from using their platforms as a feeding frenzy for personal data. Well, here’s my shot at making that happen.
In a statement published today, Twitter disclosed a security incident during which third-parties exploited the company's official API (Application Programming Interface) to match phone numbers with Twitter usernames.
In an email seeking clarifications about the incident, Twitter told ZDNet that they became aware of exploitation attempts against this API feature on December 24, 2019, following a report from tech news site TechCrunch. The report detailed the efforts of a security researcher who abused a Twitter API feature to match 17 million phone numbers to public usernames.
Twitter says that following this report it intervened and immediately suspended a large network of fake accounts that had been used to query its API and match phone numbers to Twitter usernames.
During its investigation into the report, the social network told ZDNet that it also discovered additional evidence that this API bug had also been exploited by other third-parties, beyond the security researcher at the heart of the TechCrunch report.
Twitter did not clarify who these third-parties were, but it did say that some of the IP addresses used in these API exploitation attempts had ties to state-sponsored actors, a term used to described either government intelligence agencies, or third-party hacking groups that benefit from a government's backing.
The company said it is disclosing today the findings of its investigation "out of an abundance of caution and as a matter of principle."
According to Twitter, the attackers exploited a legitimate API endpoint that allows new account holders to find people they know on Twitter. The API endpoint allows users to submit phone numbers and matches them to known Twitter accounts.
Twitter says the attacks did not impact all Twitter users, but only those who enabled an option in their settings section to allow phone number-based matching.
"People who did not have this setting enabled or do not have a phone number associated with their account were not exposed by this vulnerability," Twitter said.
The social network said it immediately made a number of changes to this endpoint after it detected the attack "so that it could no longer return specific account names in response to queries."
During the Super Bowl, Google expects you to cry, as well as marveling what its AI can do.
Everybody's crying.
In the first few hours after Google released its Super Bowl ad, more than a million people watched it and shed tears. Well, if you believe the comments on YouTube at least.
Sample: "Me: ugh an ad, watches reguardless. Also me after watching: bawling my eyes out that was beautiful and heartbreaking. Bravo."
Bravo, indeed. Here we have the story of an older man missing his -- we assume -- now deceased wife, Loretta. He Googles "How To Not Forget."
The answer, of course, is to commit your every moment to Google's artificial intelligence. Preferably as they're happening.
I apologize for that bout of realpolitik. Back to the ad. Google helps our grandpa by showing him photos of him and Loretta, as well as helping him to remember their favorite movie, her favorite flowers and other personal details.
Having been able to witness all these things, as his memory begins to fade, Grandpa concludes he's the luckiest man in the world.
How can one not be transported to tears after something so beautifully executed? Not that tears are necessarily what you want to be experiencing during an NFL game, but still. The whole thing is deeply poignant.
Then again, this beguiling tale has some small print. Google is kind enough to lay some of this out on YouTube, in a manner that's at least slightly more understandable than, say, its privacy policies have been for the last decade.
So, for Google's Assistant to bring up your photos, remember to "make sure you and your favorite people are tagged in your Google Photos."
Can you imagine if you forget? Some of your favorite photos might be buried. No matter. Let's move on. Next, Google explains, you have to remember to tell the Assistant what to remember. "Then," says Google, "to see everything you've asked the Assistant to remember, just say, 'Hey Google, what did I tell you to remember?'"
OK, I'll try to remember that.
Then there are the instructions for Google showing you photos from, say, your anniversary: "To see photos from a wedding, anniversary, birthday, or graduation, you'll need a Google Photos account, and you'll also need to tell your Assistant the specific date. Just say something like, 'Hey Google, remember my anniversary is May 18th' or 'remember Mark's birthday is March 30th.'"
Are you getting the impression that, in retirement, your job will be full-time Google programmer? If you don't remember to program your whole life into your machine, what will become of you? This feels like a daily update to your insurance policy.
Through all your Super Bowl tears, Google has some more, very detailed instructions. If you want it to know your favorite movie, that is: "First, tell your Google Assistant what your favorite movie is by saying, 'Hey Google, our favorite movie is Casablanca.' Once you've purchased your favorite movie on Google Play Movies or YouTube, all you have to say is, 'Hey Google, play our favorite movie' and the movie will start playing."
Oh, you have to give Google money?
Please, I don't want to stop you from bathing in this pathos. It really is very clever. I wonder, though, how many people will look at this ad, weep and then, a couple of days later, ask themselves why they keep on weeping.
Could it be that here we have an older man who seems to have no one else to talk to but a machine? After all, many believe that one of the great future uses of robots will be to look after seniors.
Cyber criminals are actively abusing the names of artists and songs nominated in Grammy awards in order to spread malware.
Kaspersky technologies detected a 39% rise in attacks - attempts to download or run malicious files - under the guise of nominees’ work in 2019, compared to 2018.
“Even in the age of streaming services, music is not free from malicious activity: criminals use popular artists’ names to spread malware hidden in music tracks or video clips,” says Kaspersky.
With the Grammy’s being the biggest music awards of the year, to show the extent of the problem Kaspersky researchers analysed Grammy 2020 nominated artists’ names and song titles for malware.
As a result, Kaspersky found a total of 30 982 malicious files that used the names of artists or their tracks in order to spread malware, with 41 096 Kaspersky product users having encountered them.
Analysis of the nominated artists showed that Ariana Grande, Taylor Swift and Post Malone were used the most to disguise malware, with over half of detected malicious files named after them.
However, according to Kaspersky, the connection between the rise in popularity and malicious activity is evident in the case of newer artists such as Billie Eilish. The teenage singer became extremely popular last year, and the number of users who downloaded malicious files with her name has risen almost tenfold compared to 2018. In South Africa, malware disguised as Billie Eilish songs accounted for only 205 in 2018, while 2019 saw this number increased to 15 354.
Anton Ivanov, Kaspersky security analyst, said attackers are always trying to capitalise on what is popular. Music, as well as TV shows, remains one of the most popular types of entertainment and, as a result, an attractive way to spread malware.
“However, as we see more and more users subscribing to streaming platforms, which do not require file download in order to listen to music, we expect that malicious activity related to this type of content will decrease,” he adds.
To avoid falling victim to malicious programs pretending to be popular music files, Kaspersky advises users to opt for reputable music download services and avoid suspicious links promising exclusive music content.
“Also, look at the downloaded file extension. Even if you are going to download an audio or video file from a source you consider trusted and legitimate, the file should have an mp3, .avi, .mkv or .mp4 extension among other music and video formats, definitely not .exe or .lnk,” he adds
An antivirus program used by hundreds of millions of people around the world is selling highly sensitive web browsing data to many of the world's biggest companies, a joint investigation by Motherboard and PCMag has found. Our report relies on leaked user data, contracts, and other company documents that show the sale of this data is both highly sensitive and is in many cases supposed to remain confidential between the company selling the data and the clients purchasing it.
The documents, from a subsidiary of the antivirus giant Avast called Jumpshot, shine new light on the secretive sale and supply chain of peoples' internet browsing histories. They show that the Avast antivirus program installed on a person's computer collects data, and that Jumpshot repackages it into various different products that are then sold to many of the largest companies in the world. Some past, present, and potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit, and many others. Some clients paid millions of dollars for products that include a so-called "All Clicks Feed," which can track user behavior, clicks, and movement across websites in highly precise detail.
Avast claims to have more than 435 million active users per month, and Jumpshot says it has data from 100 million devices. Avast collects data from users that opt-in and then provides that to Jumpshot, but multiple Avast users told Motherboard they were not aware Avast sold browsing data, raising questions about how informed that consent is.
The data obtained by Motherboard and PCMag includes Google searches, lookups of locations and GPS coordinates on Google Maps, people visiting companies' LinkedIn pages, particular YouTube videos, and people visiting porn websites. It is possible to determine from the collected data what date and time the anonymized user visited YouPorn and PornHub, and in some cases what search term they entered into the porn site and which specific video they watched.
Although the data does not include personal information such as users' names, it still contains a wealth of specific browsing data, and experts say it could be possible to deanonymize certain users.
In a press release from July, Jumpshot claims to be "the only company that unlocks walled garden data" and seeks to "provide marketers with deeper visibility into the entire online customer journey." Jumpshot has previously discussed some of its clients publicly. But other companies mentioned in Jumpshot documents include Expedia, IBM, Intuit, which makes TurboTax, Loreal, and Home Depot. Employees are instructed not to talk publicly about Jumpshot's relationships with these companies.
"It's very granular, and it's great data for these companies, because it's down to the device level with a timestamp," the source said, referring to the specificity and sensitivity of the data being sold. Motherboard granted the source anonymity to speak more candidly about Jumpshot's processes.
Until recently, Avast was collecting the browsing data of its customers who had installed the company's browser plugin, which is designed to warn users of suspicious websites. Security researcher and AdBlock Plus creator Wladimir Palant published a blog post in October showing that Avast harvest user data with that plugin. Shortly after, browser makers Mozilla, Opera, and Google removed Avast's and subsidiary AVG's extensions from their respective browser extension stores. Avast had previously explained this data collection and sharing in a blog and forum post in 2015. Avast has since stopped sending browsing data collected by these extensions to Jumpshot, Avast said in a statement to Motherboard and PCMag.
However, the data collection is ongoing, the source and documents indicate. Instead of harvesting information through software attached to the browser, Avast is doing it through the anti-virus software itself. Last week, months after it was spotted using its browser extensions to send data to Jumpshot, Avast began asking its existing free antivirus consumers to opt-in to data collection, according to an internal document.
"If they opt-in, that device becomes part of the Jumpshot Panel and all browser-based internet activity will be reported to Jumpshot," an internal product handbook reads. "What URLs did these devices visit, in what order and when?" it adds, summarising what questions the product may be able to answer.
Senator Ron Wyden, who in December asked Avast why it was selling users' browsing data, said in a statement, "It is encouraging that Avast has ended some of its most troubling practices after engaging constructively with my office. However I’m concerned that Avast has not yet committed to deleting user data that was collected and shared without the opt-in consent of its users, or to end the sale of sensitive internet browsing data. The only responsible course of action is to be fully transparent with customers going forward, and to purge data that was collected under suspect conditions in the past."
Despite Avast currently asking users to opt back into the data collection via a pop-up in the antivirus software, multiple Avast users said they did not know that Avast was selling browsing data.
"I was not aware of this," Keith, a user of the free Avast antivirus product who only provided their first name, told Motherboard. "That sounds scary. I usually say no to data tracking," they said, adding that they haven't yet seen the new opt-in pop-up from Avast.
"Did not know that they did that :(," another free Avast antivirus user said in a Twitter direct message.
Motherboard and PCMag contacted over two dozen companies mentioned in internal documents. Only a handful responded to questions asking what they do with data based on the browsing history of Avast users.
"We sometimes use information from third-party providers to help improve our business, products and services. We require these providers to have the appropriate rights to share this information with us. In this case, we receive anonymized audience data, which cannot be used to identify individual customers," a Home Depot spokesperson wrote in an emailed statement.
Microsoft declined to comment on the specifics of why it purchased products from Jumpshot, but said that it doesn't have a current relationship with the company. A Yelp spokesperson wrote in an email, "In 2018, as part of a request for information by antitrust authorities, Yelp's policy team was asked to estimate the impact of Google’s anticompetitive behavior on the local search marketplace. Jumpshot was engaged on a one-time basis to generate a report of anonymized, high-level trend data which validated other estimates of Google’s siphoning of traffic from the web. No PII was requested or accessed."
"Every search. Every click. Every buy. On every site."
Southwest Airlines said it had discussions with Jumpshot but didn't reach an agreement with the company. IBM said it did not have a record of being a client, and Altria said it is not working with Jumpshot, although didn't specify if it did so previously. Google did not respond to a request for comment.
On its website and in press releases, Jumpshot names Pepsi, and consulting giants Bain & Company and McKinsey as clients.
As well as Expedia, Intuit, and Loreal, other companies which are not already mentioned in public Jumpshot announcements include coffee company Keurig, YouTube promotion service vidIQ, and consumer insights firm Hitwise. None of those companies responded to a request for comment.
On its website, Jumpshot lists some previous case studies for using its browsing data. Magazine and digital media giant Condé Nast, for example, used Jumpshot's products to see whether the media company's advertisements resulted in more purchases on Amazon and elsewhere. Condé Nast did not respond to a request for comment.
ALL THE CLICKS
Jumpshot sells a variety of different products based on data collected by Avast's antivirus software installed on users' computers. Clients in the institutional finance sector often buy a feed of the top 10,000 domains that Avast users are visiting to try and spot trends, the product handbook reads.
Another Jumpshot product is the company's so-called "All Click Feed." It allows a client to buy information on all of the clicks Jumpshot has seen on a particular domain, like Amazon.com, Walmart.com, Target.com, BestBuy.com, or Ebay.com.
In a tweet sent last month intended to entice new clients, Jumpshot noted that it collects "Every search. Every click. Every buy. On every site" [emphasis Jumpshot's.]
Jumpshot's data could show how someone with Avast antivirus installed on their computer searched for a product on Google, clicked on a link that went to Amazon, and then maybe added an item to their cart on a different website, before finally buying a product, the source who provided the documents explained.
One company that purchased the All Clicks Feed is New York-based marketing firm Omnicom Media Group, according to a copy of its contract with Jumpshot. Omnicom paid Jumpshot $2,075,000 for access to data in 2019, the contract shows. It also included another product called "Insight Feed" for 20 different domains. The fee for data in 2020 and then 2021 is listed as $2,225,000 and $2,275,000 respectively, the document adds.
Jumpshot gave Omnicom access to all click feeds from 14 different countries around the world, including the U.S., England, Canada, Australia, and New Zealand. The product also includes the inferred gender of users "based on browsing behavior," their inferred age, and "the entire URL string" but with personally identifiable information (PII) removed, the contract adds.
Omnicom did not respond to multiple requests for comment.
According to the Omnicom contract, the "device ID" of each user is hashed, meaning the company buying the data should not be able to identify who exactly is behind each piece of browsing activity. Instead, Jumpshot's products are supposed to give insights to companies who may want to see what products are particularly popular, or how effective an ad campaign is working.
"What we don't do is report on the Jumpshot Device ID that executed the clicks to protect against the triangulation of PII," one internal Jumpshot document reads.
But Jumpshot's data may not be totally anonymous. The internal product handbook says that device IDs do not change for each user, "unless a user completely uninstalls and reinstalls the security software." Numerous articles and academic studies have shown how it is possible to unmask people using so-called anonymized data. In 2006, New York Times reporters were able to identify a specific person from a cache of supposedly anonymous search data that AOL publicly released. Although the tested data was more focused on social media links, which Jumpshot redacts somewhat, a 2017 study from Stanford University found it was possible to identify people from anonymous web browsing data.
"De-identification has shown to be a very failure-prone process. There are so many ways it can go wrong," Günes Acar, who studies large-scale internet tracking at the Computer Security and Industrial Cryptography research group at the Department of Electrical Engineering of the Katholieke Universiteit Leuven, said.
De-anonymization becomes a greater concern when considering how the eventual end-users of Jumpshot's data could combine it with their own data.
"Most of the threats posed by de-anonymization—where you are identifying people—comes from the ability to merge the information with other data," Acar said. A set of Jumpshot data obtained by Motherboard and PCMag shows how each visited URL comes with a precise timestamp down to the millisecond, which could allow a company with its own bank of customer data to see one user visiting their own site, and then follow them across other sites in the Jumpshot data.
"It's almost impossible to de-identify data," Eric Goldman, a professor at the Santa Clara University School of Law, said. "When they promise to de-identify the data, I don't believe it."
Motherboard and PCMag asked Avast a series of detailed questions about how it protects user anonymity as well as details on some of the company's contracts. Avast did not answer most of the questions but wrote in a statement, "Because of our approach, we ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details, from people using our popular free antivirus software."
"Users have always had the ability to opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an explicit choice, a process which will be completed in February 2020," it said, adding that the company complies with the California Consumer Privacy Act (CCPA) and Europe's General Data Protection Regulation (GDPR) across its entire global user base.
"We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data," the statement added.
"It's almost impossible to de-identify data."
When PCMag installed Avast's antivirus product for the first time this month, the software did ask if they wanted to opt-in to data collection.
"If you allow it, we'll provide our subsidiary Jumpshot Inc. with a stripped and de-identified data set derived from your browsing history for the purpose of enabling Jumpshot to analyze markets and business trends and gather other valuable insights," the opt-in message read. The pop-up did not go into detail on how Jumpshot then uses this browsing data, however.
"The data is fully de-identified and aggregated and cannot be used to personally identify or target you. Jumpshot may share aggregated insights with its customers," the pop-up added.
Just a few days ago, the Twitter account for Avast subsidiary AVG tweeted, "Do you remember the last time you cleaned your #browser history? Storing your browsing history for a long time can take up memory on your device and can put your private info at risk."
Bitcoin represents the explicit encoding of previously implicit values of the tech community. It's not just software — it is a Schelling point and a symbol. As such, it will become widely recognized as the flag of technology over the course of the 2020s.
To understand this claim, we need to define what "technology" is, what a "flag" would mean in this context, and why Bitcoin would be chosen as that flag. Let's proceed in turn.
Technology: the values behind the valuations
Technology is the culture that Silicon Valley built and exported. It is the global community of founders, investors, engineers, and designers. And it is the code, apps, products, and billion dollar companies. But most fundamentally, it's the values that underpin the valuations.
These values are implicit in common terms like MVP, product-market fit, or the idea maze. And they are expressed in writing via popular books by the most accomplished people in tech.
But they usually aren't articulated outright. If we were to enumerate them, we'd find that technology is internationalist, capitalist, decentralized, hyperdeflationary, networked, encrypted, digital, volatile, ambitious, and quietly revolutionary. These are the values of technology.
Bitcoin (and crypto more generally) moves us beyond the implicit by expressing these values in a piece of code that doubles as an investment vehicle. The code speaks to the developers, the upside appeals to the investors, and the values encoded within speak to both. If you believe in these values, you tend to buy Bitcoin.
Bitcoin: an ideological flag and a Schelling point
Recall that not every flag represents a geographical entity. Some of them represent movements, like the Gadsen flag or the rainbow flag. Bitcoin becomes a flag in this sense, as the encoding of technology's aforementioned values. An ideological flag, rather than a geographic one.
Bitcoin also becomes a flag in another sense: a rallying point, a Schelling point for an entrepreneurial community.
Recall that a Schelling point occurs when a community coordinates without explicit coordination. The classic example is when two strangers know that they must meet in New York City on a given day, but are not told where or when. They need to guess what the other person will do without communicating with them. The equilibrium solution to this is usually "meet at 12 noon in front of the Grand Central Terminal information booth."
Similarly, if we asked the question of what two random people in the global tech community would coordinate on, we start to find that American, Chinese, and Russian technologists who otherwise don't agree on much tend to agree that Bitcoin is valuable.
For example, Jack Dorsey runs Twitter, Reid Hoffman founded LinkedIn, and Marc Andreessen and Peter Thiel are on the board of Facebook – but all of them are pro-Bitcoin. Similarly, Binance founder Changpeng Zhao and Telegram founder Pavel Durov are Chinese-Canadian and Russian expatriates respectively, and are also pro-Bitcoin. Different countries, different backgrounds, but a shared belief in digital currency.
It's hard to get folks like this to all agree on something. If you think about it, the global tech community is not going to line up behind Google, or Facebook, or WeChat, or Yandex. Even if a founder respects the products these companies built, as a capitalist they are always aware that there may be economic disalignment at some point in the future. What is good for Google may not always be good for you.
What technologists do tend to align around are (a) open source projects where alignment is less material and (b) investments where alignment is quantifiable. Bitcoin is both of these.
With respect to open source, the closest analogy to Bitcoin may be Linux. Like Linux, all can profit from Bitcoin but none can corrupt it. For example, Google and Facebook are tough competitors – but they cooperate on Linux because it's a demilitarized zone where one party cannot deprive the other of their contributions. Microsoft may have its own OS, but even Microsoft has to respect Linux nowadays.
Similarly, within the crypto community as well – which is overlapping with but not identical to the tech community – whatever project someone is starting, they are aware of Bitcoin, respect it, and likely hold some. Whatever exchange someone is running, they will have Bitcoin support. Whatever crypto tutorial someone is writing, they will assume the user knows something about Bitcoin.
Bitcoin is thus many people's first choice and many people's second choice. This means it will become the community's first choice. That's why Bitcoin is also a flag in the sense of a Schelling Point – something to rally around.
Bitcoin encodes the values of Technology
But when the global tech community rallies around the flag of Bitcoin, what exactly is it getting behind?
As noted above, we argue that Bitcoin encodes the following implicit values of technology: internationalist, capitalist, decentralized, hyperdeflationary, networked, encrypted, digital, volatile, ambitious, and quietly revolutionary. Let's go through each of these in turn.
Internationalist
Bitcoin and technology are both intrinsically internationalist.
The tech industry may have begun in Silicon Valley, but it's a global phenomenon at this point. Within the US, more than 60% of the most valuable technology companies were founded by first and second generation immigrants. And with 51% of unicorns now outside the US, tech extends far beyond Silicon Valley to every country with an internet connection.
The same is true for Bitcoin. Millions of crypto traders are distributed across the world, there are thousands of Bitcoin meetups happening in hundreds of cities, and every major nation state is aware of cryptocurrency.
Capitalist
Bitcoin and technology are both fundamentally capitalist.
The tech industry proper revolves around entrepreneurs, angel investors, venture capitalists, M&As, and IPOs. The broader tech community also includes academic engineers and the open source community, neither of which are for-profit, but both of which are far more capitalism-friendly than their counterparts in academic humanities departments and traditional nonprofits.
Bitcoin likewise is about capitalism. It is a ledger of transactions. It is a speculative investment. It is the digitization of money. It is a transnational form of property rights. It's delivered venture returns. And it encodes the history of an entire economy in its blockchain. As such it's intrinsically capitalist.
Decentralized
Bitcoin and technology are both highly decentralized.
As Benedict Evans noted recently, the great thing about tech monopolies is how many there are to choose from! Any market map of a tech sector will show the same thing: a profusion of dozens or hundreds of companies in any industry, all vying for different pieces of the market. There are hundreds of millions of websites, almost five million startups on AngelList, thousands of angel investors, and hundreds of large VC firms. There is no single chokepoint in tech, no one financier or platform that you must deploy on to succeed.
The same is true for Bitcoin, and crypto more generally. Satoshi famously designed Bitcoin such that no single miner could censor transactions on the network, and called it "completely decentralized with no server or central authority". While there's always more to be done in terms of quantifying and improving decentralization, the ecosystem has miners, nodes, exchanges, developers, and investors, each of whom have competing interests, and (ideally) none of whom has a veto over Bitcoin.
Finally, there's one more level of decentralization: decentralization across coins. There are now enough different approaches to consensus and privacy that it's highly unlikely that cryptocurrency as a phenomenon will ever vanish. The vulnerabilities for proof-of-work are not the same as those for proof-of-stake, delegated proof-of-stake, proof-of-space, and so on. It's unlikely that any single issue can now take out all coins and all exchanges simultaneously. At least some will survive.
Thus in an absolute worst case scenario of a global crackdown on cryptocurrencies where Bitcoin itself is found to suffer from an unfixable vulnerability, we can expect a partial migration to surviving coins as well as an import of the Bitcoin ledger into one of the surviving chains. The reason is that Bitcoin ledger is so highly replicated, and has so many stakeholders behind it, that it is practically impossible to erase from the earth. It will be snapshotted and restored over and over again – even if the original network is shut down.
Hyperdeflationary
Bitcoin and technology are both agents of hyperdeflation.
The single most important graph in technology is arguably Moore's law. That's a story of hyperdeflation: if the number of transistors on an integrated circuit doubles every two years, the cost of computing roughly halves over the same period. In other words, the same dollar will buy more compute power tomorrow than today, even taking inflation into account.
And it's not just compute power. The areas that technology has disrupted have seen plummeting prices. We can see this visually, if we compare the number of different pieces of hardware replaced by a single iPhone. We can see this quantitatively, if we compare the cost of browsing Wikipedia or Spotify to the equivalent in physical encyclopedias or compact disks. And we can see this visually if we compare the long-term trajectory of costs in the sectors technology has touched (televisions, software, phones) to those it has not yet disrupted (education, healthcare).
Bitcoin is also hyperdeflation incarnate. It's not just that BTC was the best investment of the 2010s, and increased by orders of magnitude in value relative to the USD over the last ten years – though it's always worth keeping this miraculous ten year chart in mind.
It's also that Bitcoin represents a form of hyperdeflation complementary to and different from Moore's law. If Moore's law was about creating value by reducing the cost of computation, Bitcoin is about capturing value by shielding it from inflationary pressure. Or as the meme goes:
Eventually, if Bitcoin truly achieves its destiny, we'll use BTC as a unit of account. That's called hyperbitcoinization.
Networked
Bitcoin and technology are both network-based.
To say that technology is based on the internet is obvious. To say that it is about social networks, loose collaborations, non-geographical associations, and routing algorithms is also obvious. But the long-term implication of this is that the geodesic distance between two points in a social network is becoming more important than the great circle distance between two points on the surface of the earth.
So too with Bitcoin, and cryptocurrency more generally. Perhaps only one in 100 people on the face of the Earth holds Bitcoin today, at most 50 million people. In the early days of Bitcoin it was far fewer.
But they were effectively all together in the same room thanks to the internet. It didn't matter how far apart they were geographically; they were all part of the same idea, linked through a computer network. They could partially opt out of their country's currency (based on geographical proximity to their neighbors) and partially opt in to this new world (based on ideological proximity to people of shared mind).
The freedom to associate with anyone, anywhere in the world based on ideas shared through a computer network is a core value implicitly shared by both technology and Bitcoin that is radically different from the premises of the Westphalian state.
Encrypted
Bitcoin and technology are both founded on encryption.
The modern technology industry only exists because of encryption on the internet. Without SSH for encrypted connections there would be no cloud, no remote work, no deployments. Without SSL and HTTPS for encrypting credit card and wire information there would be no ecommerce, no payment companies, no ads, and no subscriptions. The fundamental engineering and payments infrastructure for creating wealth on the internet would not exist.
Similarly, Bitcoin only exists because of decades of work in theoretical and applied cryptography. Without concepts like public key cryptography, digital signatures, hashing, and hashcash or implementations like SHA-256, RIPEMD-160, and secp256k1, Bitcoin would not be feasible. The fundamental cryptographic constructions required to represent, transmit, and safeguard wealth through Nakamoto consensus would not be available.
Digital
Bitcoin and technology are both inherently digital.
This again is almost too obvious to point out, but over the last thirty years the technology industry has digitized books, magazines, movies, newspapers, photos, letters, advertisements, music, documents, radio, television, and every form of media. Tech has also digitized things we didn't even think of as "digital" in the 1980s, from your Fitbit steps to your preference settings within an app. And of course digitization unlocked the ability to copy a file, to share it, to edit it, to aggregate it, to do machine learning on it, and much more.
Bitcoin and cryptocurrency more generally are the next phase in digitization. While the technology industry had digitized everything that was not scarce, until Nakamoto consensus we did not have a native representation of digital scarcity. Workarounds like PayPal used a centralized database to simulate digital scarcity, but at base they relied upon a set of permissioned actors with root privileges to guarantee that scarcity. Bitcoin's blockchain changed all that.
Once people realized that Bitcoin's blockchain was a cryptographically secure way to represent a public database of who possessed digital currency, they quickly realized that similar approaches could be used to digitize stocks, bonds, commodities, derivatives, REITs, mortgages, loans, and every single kind of financial asset. Moreover, as with the first wave of tech-driven digitization, we will be able to compose these building blocks of digital finance to create new applications. And we are also en route to digitizing identity, property rights, and eventually governance itself.
Volatile
Bitcoin and technology are both highly volatile.
Startups are volatile. Many startups fail. Bankruptcies are common. Post-mortems are common. Failure is not welcomed, but it is budgeted for, accepted, and possible. VCs are all about the power law, where a single investment can succeed and pay for all the others. Persistent entrepreneurs can sometimes win big. And patient, long-term capital has a chance of winning 1000X returns.
The underlying reason for this is that variance increases with small sample sizes. When you only have ten employees, a single person quitting can tank the company. Conversely, if you only have ten customers and you bring in a large sale, that one event could boost the revenues of the company by 10%, attract a key investment, and lead to the long-term success of the venture.
Bitcoin is similarly volatile. The price graph alone shows multiple 80-90% drops over the past ten years. The number of failed Bitcoin startups is legion. And the number of new Bitcoin millionaires is as well. Bitcoin is, in many ways, the world's first publicly traded hypergrowth startup. And it is exposing millions of people to the vicissitudes of startup culture, the virtues of persistence and patience, and the downside of quitting too early and proclaiming premature death.
Ambitious
Bitcoin and technology are both breathtakingly but rationally ambitious.
The ambition of the tech entrepreneur is often mocked. But without the belief that one could build a spaceship, create an electric car, organize the world's information, or connect billions of people, we would simply not have the companies we have today. The strength of technology is realistic ambition, rational ambition, ambition based on calculated risks and quantified upsides.
Bitcoin's ambition was nothing less than the development of a new digital currency to rival the US dollar. Ten years later, it is clear that every central bank and financial institution in the world has heard of Bitcoin. Today, with the existence of multiple at-scale digital dollars, the very real possibility of China potentially rolling out a blockchain-based digital currency, and Bitcoin's #40 ranking on the fiat market cap charts, it's not crazy to say that Bitcoin has changed the world – and may well give the dollar a run for its money.
But it was crazy to think that Bitcoin could compete with the dollar in 2009. It was a piece of software posted on a mailing list! Yet in the very first exchange after Satoshi posted the whitepaper, it was clear that Hal Finney and Satoshi were wildly yet rationally ambitious. Hal calculated a scenario in which each BTC was worth $10M per coin:
Given the ad arguendo supposition that Bitcoin would work at a technical level, he made a Fermi estimate of the valuation based on a set of logical premises. And once Bitcoin's technology did prove to work, and once enough others understood those premises, BTC got to $10,000 per coin in the first ten years. Of course, that's not yet $10M and a replacement for the US dollar – but as they say, the first billion is the hardest.
Quietly Revolutionary
Last, but not least, Bitcoin and technology are both quietly revolutionary.
Technology did not disrupt the music industry, the taxi business, or the newspaper business through traditional political activism. It simply built better products that millions of people voluntarily chose to purchase or use of their own accord. And through these many quiet, individual, personal decisions enormous change was wrought, as these graphs demonstrate:
Similarly, Bitcoin is not about accomplishing change through folk activism. It's a network-based phenomenon which has accomplished a revolution in monetary policy through a billion private actions rather standing on the street corner spouting slogans. It is quietly revolutionary.
What comes next?
We've explained how Bitcoin (and crypto more broadly) encodes the implicit values of technology. It is internationalist, capitalist, decentralized, hyperdeflationary, networked, encrypted, digital, volatile, ambitious, and quietly revolutionary.
I believe that over the 2020s, the technology industry will end up aligning behind Bitcoin and crypto as part of a broader international realignment. Cryptocurrency simultaneously reflects many fundamental American values (like freedom of speech, freedom of contract, freedom of association, protection against unreasonable search & seizure, the right to privacy, and so on) while also demonstrating broad international appeal to millions of people around world.
This realignment would not be traditional right vs left, but rather land vs cloud, state vs network, centralized vs decentralized, new money vs old money, internationalist/capitalist vs nationalist/socialist, MMT vs BTC, and (perhaps most symbolically) Hamilton vs Satoshi. The new American center may be decentralized.
But that is a story for another time. Until then, I leave you with this.
