Geek News and Musings

[Video Link] Thanks, Erin! (Via Orangette)

The following is a guest post from Hipster CEO Doug Ludlow, following yesterday and today’s revelations that select apps were uploading users’ entire address books to their databases.

We blew it, we’re sorry, and we’re going to make it right.

It’s Hipster’s goal to provide a fun and beautiful service for our community to share where they are, and what they are doing – creating a safe environment for our users is of the utmost importance to us.  However, when we built our “Find Friends” feature for iOS, we clearly dropped the ball when it comes to protecting our users’ privacy.

Yesterday, one of our Hipster users, Mark Chang (http://markchang.tumblr.com/) wrote a blog post detailing a few ways in which our “Find Friends” feature handles user privacy issues.  You can read his post here .

Mark’s criticisms were spot on, and needless to say we’re pretty embarrassed by the situation.  Embarrassed not because we had malicious goals in mind (we don’t store the contact data we pull – we just match it to existing users), but embarrassed by the fact that we pushed a feature that doesn’t meet our standards for the protection of our user’s data.

How are we working to remedy the situation?  In an update that will be available through iTunes this week, we’ve changed the way our “Find Friends” feature works on iOS.  Rather than automatically pull in a user’s contacts to help them find people already on Hipster, we’re making this feature opt-in, and users will have to confirm that they want to grant access to their address book.  In addition, this data will now be transferred through a SLL connection.

But where do we go from here?

We’d like to use our recent experience to help improve the mobile industry as a whole.

On Thursday, February 17^th, we’ll be hosting a “Application Privacy Summit” here at Hipster’s SF office to discuss of user privacy in mobile applications.

In addition to discussing best practices and privacy standards, the goal of the summit to be to come up with a “privacy pledge” – one that can be adopted by all apps, detailing for users what types of privacy expectations they should have. Applications will be able to boast that they have agreed to the privacy pledge, which should help give their users sense of mind regarding their personal data.

Invitations are being sent out to the CEOs of major mobile application companies, and we hope they will attend. In addition, if you’re interested in attending, please email me at Doug@Hipster.com.

We made a mistake, but we hope that what we’ve learned will shed light on the need for clear standards when it comes to protecting user privacy.  Doing so will only do great things for our industry, our companies, and most importantly, our users.

We’ve pointed out for years that the whole structure of SSL certificate-based security is open to attack via man-in-the-middle attacks… if you can somehow get a certificate authority to grant you a fake certificate. Of course, the protection against that was supposed to be that a certificate authority wouldn’t do that. But what if one did? Certificate authority Trustwave has admitted that it issued a certificate to a company that allowed it to issue “valid” certs for any server. Basically, it gave a company the ability to do any kind of man-in-the-middle attack it wanted on employees. Trustwave has admitted to all this after revoking the certificate. They insist that the structure was limited so that it could only be used internally on the network. But, while it was out there, it basically allowed this company to effectively spy on employee activities, allowing the company to do man-in-the-middle attacks, as employees logged into private (”encrypted”) accounts from their own devices, and see what they were doing. Considering this certificate was issued for “loss prevention,” it’s not hard to guess how it was used.

Either way, it’s pretty scary that Trustwave would think it was a reasonable move to allow this kind of activity, no matter how carefully the company believes it was set up. In a world where people have perfectly valid reasons for using private personal internet services from the workplace, they should be able to trust that those connections are secure. Thanks to Trustwave’s deal with this (unnamed) company, that was not the case. On top of that, there’s no telling if other certificate authorities are doing the same thing elsewhere, significantly compromising SSL security.

In the end, this is a significant reminder that certificate-based security systems have serious weaknesses, and that the certificate authorities might not always be trustworthy…

Permalink | Comments | Email This Story

Let’s try to parse this.

Pirate Bay (.se) user allisfine just recently uploaded a torrent to the site that is a collection of all the magnet identifiers for the entire site (actually, only about a quarter of the site, but all the publicly visible ones). That is to say, it is a list of the unique identifiers, cryptographic hashes, of every .torrent file on the site.

In a way, this torrent file, or indeed its magnet identifier (938802790a385c49307f34cca4c30f80b03df59c), contains millions or billions of dollars worth of pirated content. Or does it?

It’s more a philosophical question than a technical one, which is why folks like the MPAA and RIAA will always be able to stay on one side of it. Yes, linking to copyrighted content is a crime. And linking to a link is a crime (as we’ve seen in Twitter DMCA takedowns). That’s a link to a link to a file that lets you download the file. What about a link to a link to a link? You can’t fool me, young man, it’s copyright violations all the way down.

That’s absurd, of course, yet like many absurd things, it makes a certain amount of sense. It doesn’t matter how many steps you take, if your destination is copyrighted, then you’re in trouble. But there’s just as much absurd ammo on the other side as well.

Consider the magnet identifier for this meta-torrent (or the DeCSS code, or a secure piece of electronics’ “master key,” or the like). Encode it as a series of integers. Is that series of integers a copyright violation?

What about π, an irrational number calculable by anybody that contains that series of integers if you look long enough? What about an image file that has three pixels of black, then five pixels of white, then two pixels of red, and so on? Is that pattern a violation? What if I think it’s beautiful and I put it on the wall, and have no idea it’s actually a visual representation of a hash of a hash of a torrent containing a compressed file containing the hashes of files that act as pointers to copyrighted information?

Naturally, there must be cap put on such hijinx. It will likely be clear when someone intended information to be a distributive mechanism for copyrighted or sensitive content. The nature of the container is to some extent irrelevant. But some of these issues need to be hashed out, so to speak, so that it’s not just a logical but a legal reality that no one can be charged with a billion in statutory damages for writing a short series of numbers on a napkin. It sounds silly until it’s being decided by the Supreme Court.

The nature and legal status of data in its many strange forms is a process we likely will never be done with. But small quandaries like this are worth savoring, before their solutions are etched in stone and gradually become the status quo. People talk about the web as if its “Wild West” days are behind it. These people lack imagination.

[hat tip to the fun Hacker News discussion, ongoing]

Got FOMO? (That’s “fear of missing out” for those of you who don’t do slang.) There will soon be an app for that, or so says the $3.4 million in angel funding the stealthy D.C.-area startup called timeRAZOR has raised. In its pre-launch state, the curious company is already lining up brand partnerships with big names like Marriott and L’Oreal in preparation for its March debut.

But what the heck is a timeRAZOR?

According to CEO and co-founder, Jeff White (formerly the founder of govWin), timeRAZOR is a mobile application that will help people discover interesting and relevant things to do close to where they are.

“We’re an app that keeps you connected with what’s going on so you don’t miss out on the things you want to do while juggling the things you need to do,” he tells us.

Oh, so it’s like calendar 2.0 then? Well sort of. Maybe. The app is also using some sort of smart, patent-pending technology to offer serendipitous discovery of those “things going on” nearby the places you’re planning to be. This is where the brand partnerships come in, apparently.

“TimeRAZOR includes a predictive marketing element [brands] find enticing. Our ability to allow brands to be inserted in the highly intimate, welcomed, non-invasive engagement with our users is very enticing,” White explains. Companies currently working with the startup include L’Oreal’s Active Cosmetics Division, Marriott Renaissance Hotels, World Adult Kickboxing Association (WAKA), Vail Valley Foundation, JetSet Studios, several local retail properties (The Shops at Dos Lagos, The Village at Leesburg and West 7th), and Boston-area HWS Group’s four minor league baseball teams.

Additional details are being kept close to the chest, though. And frankly, none of this is much to go on. White says the company will announce exactly how the partners are working with timeRAZOR in the next few weeks.

Also interesting is timeRAZOR’s board of advisors, which include comScore co-founder Linda Abraham, former Microsoft exec Eddie Amos and Gene Riechers, co-founder and senior advisor at Valhalla Partners.

White and timeRAZAR co-founder Victoria Clark, also formerly of govWin, began work on the product back in June 2011. It looks like the funding actually closed in the fall, but the company is just now making the announcement as they ramp up to launch. It’s kind of intriguing to see that a few name brands (and other smaller brands) have signed on to participate in timeRAZOR when the service hasn’t even launched yet. However, without knowing the details it’s hard to say whether the brands were just having a case of FOMO themselves, or if there’s really something here.

When it comes to a marketplace for fine art, a space which seems to intrinsically resist digital services, technology really hasn’t had quite the same disruptive influence it has in so many others. Startups like Zazzle and Art.com have taken steps to make art commercial and broadly accessible, with some cool technology to boot, but automation and democratization haven’t really penetrated the upper crust world of fine art in any significant way, for understandable reasons. Democratic luxury sounds like an oxymoron, or phony marketing.

Founder Collective, an early-stage venture capital fund based in NYC, has made some smart bets on disruptive models in niche markets, namely on Uber (and Makerbot and Milo), and today the fund is collectively making a bet on the online art market with a startup called Paddle8. Today, Founder Collective announced that is leading the series A financing of Paddle8, investing $4 million alongside Mousse Partners (a private investment firm affiliated with the luxury goods company, which has invested in Paperless Post and Warby Parker). As a result of the financing, David Frankel of Founder Collective will be joining the startup’s board of directors.

With this infusion of capital, Paddle8 hopes to cement a position as an online destination for both beginner and veteran collectors to access fine art works by way of curated selection, insider opinions, on top of a transaction platform that brings automation to the startup’s storefront.

And that’s where Paddle8′s value proposition lies, on the one hand it is providing a set of tools and services that enable galleries to run their back ends via its platform, allowing them to ship, insure and install the purchased art without any limitation on time and geography. (A dashboard for inventory and transactional management is in the pipeline.)

On the other hand, the NYC-based startup is racking up 100,000 pageviews per day on its current stock and adding 2,000 hand-picked art collectors per month. Art buyers are becoming a more and more global (and less homogenous) audience, and Paddle8 wants to become the service that introduces them to the well-dressed concoction of fine art and eCommerce, engages them online while streamlining purchasing, insuring, and shipping.

Paddle8 has already formed partnerships with museums like the Los Angeles County Museum of Art (LACMA) and the Brooklyn Academy of Music (BAM), along with 200 other galleries. It will use its new infusion of capital to beef up its technology and feature set. For collectors, this means that it will be launching a new user interface that focuses on collector-to-collector engagement, dynamic editorial, customized navigation, enabling art buyers to browse art works from a slew of eras and media.

And for galleries, museums, and art fairs, this means that Paddle8 will provide B2B services like a point of sale transaction platform, virtual “private rooms” to showcase individual works of art (galleries generally have to rely on sending .JPEGs via email when showing pieces of art, as they usually don’t broadcast price), as well as a set of mobile apps that aim to bring ease and efficiency of search and purchase to that increasingly global audience of art hounds. Furthermore, galleries can also offer additional artworks outside of the exhibitions under their own name within Paddle8’s extended gallery.

The value and meaning of art often rely on context, and Paddle wants to provide that aspect to its community by inviting influential figures to participate as curators. Every month, a new guest curator introduces a set of works that center around a particular theme. Current curators include the inimitable Robin Williams and Warhol collaborator and Interview Magazine Co-founder Glenn O’Brien. The intent is for that content to become a multimedia archive that will act as an educational tool for the site’s visitors.

Somewhat ironically, Paddle8 is looking to bring democratizing and leveling technologies to a traditionally offline and luxury market, though co-founders Aditya Julka and Alexander Gilkes say they are not attempting to surplant the physical and emotional engagement with art, but “rather to enhance access to the fine art world via curation, services and community.”

Of course, to continue doing that, they have to monetize, which means that the startup will be taking a “low double digit” percentage of each transaction that takes place on the site. So far, the team has been able to find some traction in a notoriously prickly niche market, both in terms of visitors and revenue, without much capital. And now there are 4 million reasons why that could continue. Add some AR to product pages where users can view enhanced, 3-D representations of the art, and Paddle8 could sail on to victory. Though it’s clearly going to have some push-back from Art.sy.

For more, check out the company at home here.

Some people always see the good in people and some people always see the bad … Gawker just published a post with what at first seems to be some pretty damning evidence against Path founder Dave Morin, publishing an email where he assured writer Ryan Tate that Path wasn’t storing user data.

While today’s headlines would lead one to believe that the statement was a lie, Morin (who is a friend) tells me that the exchange is misleading out of context. He was actually talking about Path 1.0 in the email, which lacked the “Add Friends” feature and therefore did not store any data.

The “Add Friends” data storage was added in Path’s second iteration, so he was technically telling the truth at the time. Again, Path 1.0 did not store data — it was a completely different product back then.

I’m waiting for an official statement from Morin, in the meantime, here is the [old] Gawker email.

[Gawker: Is it correct that Path uses iPhone address book data? Thanks for any guidance!]

Hey Ryan,

Thanks for the good question.

Path is created to share personal moments with your close friends and family. From the end user’s point of view, access to your iPhone contacts makes sharing with your closest friends and family convenient.

Like many apps (i.e. Skype and Kik ) — Path allows you to access your friends’ and family’s contact information from your own iPhone contacts in order to find them on the network.

One of our core principles here is that you must have contact information for someone in order to find them on Path. Usually, you have contact information for your close friends.

Path does not retain or store any of your information in any way.

That help?

Dave

[Emphasis added.]

Image via Joi Ito/Flickr]

[Video Link] Er…

Groupon just announced its first earnings report after going public last October. For the full year, Google’s revenues were $1.6 billion, up 419 percent. The daily deal company, however, lost $350 million, most of that attributable to its very aggressive international expansion (7,000 out of its 10,000 employees are overseas). In North America, it turned an operating profit of $22 million, which was counteracted by $137 million in international operating losses.

For the quarter, revenues were $506 million, up 194 percent. The net loss was $42.7 million, which at least was down from $379 million quarterly net loss the year before. We’ll be doing our liveblog of the earnings call here.

 

Some other stats from the earnings:

Active customer base: 33 million, up 275% from Q4 2010 and up 20% from Q3 2011

Active gross billing per active customer (trailing 12 months): $188, up from $160 in Q4 2010

Mobile downloads: 26 million

Below is Groupon’s quarterly and full-year P&L:

 

 

Groupon, Inc.
Summary Consolidated and Segment Results
		Three Months Ended										Twelve Months Ended
		December 31,								Y/Y %		December 31,								Y/Y %
			2010				2011			Growth			2010				2011			Growth
		(dollars in thousands, except per share data)
		(unaudited)				(unaudited)										(unaudited)
Revenue (gross billings of $415,269, $1,247,873, $34,082, $745,348 and $4,002,506)
North America		$	88,363			$	188,476			113.3	%	$	200,412			$	643,818			221.2	%
International			83,861				317,999			279.2	%		112,529				980,923			771.7	%
Consolidated revenue		$	172,224			$	506,475			194.1	%	$	312,941			$	1,624,741			419.2	%
Operating (loss) income			(336,129	)			15,034			104.5	%		(420,344	)			(203,380	)		51.6	%
Consolidated segment operating (loss) income
North America		$	(21,905	)		$	35,786			263.4	%	$	(10,437	)		$	22,343			314.1	%
International			(121,456	)			12,172			110.0	%		(170,556	)			(136,670	)		19.9	%
CSOI(1)		$	(143,361	)		$	47,958			133.5	%	$	(180,993	)		$	(114,327	)		36.8	%
Net loss attributable to common stockholders		$	(378,610	)		$	(42,730	)		88.7	%	$	(456,320	)		$	(350,845	)		23.1	%
Pro-forma net loss attributable to common stockholders(2)		$	(185,842	)		$	(9,806	)		94.7	%	$	(216,969	)		$	(261,792	)		20.7	%
Net loss per share attributable to common stockholders		$	(1.08	)		$	(0.08	)				$	(1.33	)		$	(0.97	)
Pro-forma loss per share(3)		$	(0.53	)		$	(0.02	)				$	(0.63	)		$	(0.72	)

Groupon just announced its first earnings since its IPO in November. For the fourth quarter of 2011, it reported revenue of $506.5 million, beating analyst estimates of $473 million. It’s also profitable, with net income of $15 million.

The company’s numbers are up almost across-the-board compared to the same period last year — revenue is up 194 percent, income is up from a $336.1 million loss. However, Groupon came up short on earnings per share, coming in at negative $0.02, rather than the positive $0.03 EPS that analysts were expecting. (That number includes a $0.07 cent tax from international operations.) As result, at 4:20pm Eastern, Groupon was down 11.3 percent in after-hours trading.

In its guidance for the first quarter of 2012, Groupon is projecting revenue between $510 million and $550 million, and operating income between $15 million and $35 million.

The earnings call starts at 4:30pm Eastern — we’ll be liveblogging it.

« Previous entries