Technology

A team of top security researchers from the University of California, Berkeley and MIT have come together to launch a new cryptographic project that combines secure software and hardware to enable privacy-preserving smart contracts under the banner of Oasis Labs.

That vision, which is being marketed as the baby of a union between Ethereum and Amazon Web Services, has managed to attract $45 million in pre-sale financing from some of the biggest names in venture capital and cryptocurrency investing.

The chief architect of the project (and chief executive of Oasis Labs) is University of Berkeley Professor Dawn Song, a security expert who first came to prominence in 2009 when she was named one of as one of MIT Technology ReviewInnovators under 35.Songrise in the security world was capped with both a MacArthur Fellowship and a Guggenheim Award for her work on security technologies. But itthe more recent work that shebeen doing around hardware and software development in conjunction with other Berkeley researchers like her postdoctoral associate, Raymond Cheng, that grabbed investors attention.

Through the Keystone enclave hardware project,Song and Cheng worked with MIT researchers and professors like Srini Devadas and Ilia Lebedev on technology to secure sensitive data on the platform.

&We use a combination of trusted hardware and cryptographic techniques (such as secure multiparty computation) to enable smart contracts to compute over this encrypted data, without revealing anything about the underlying data. This is like doing computation inside a black box, which only outputs the computation result without showing whatinside the black box,& Song wrote to me in an email. &In addition to supporting existing trusted hardware implementations, we are also working on a fully open source trusted hardware enclave implementation; a project we call Keystone.We also have years of experience building differential privacy tools, which are now being used in production at Uber for their data privacy initiatives. We plan to incorporate such techniques into our smart contract platform to further provide privacy and protect the computation output from leaking sensitive information about inputs.&

Song says that her project has solved the scaling problem by separating execution from consensus.

&For each smart contract execution, we randomly select a subset of the computation nodes to form a computation committee, using a proof of stake mechanism. The computation committee executes the smart contract transaction,& Song wrote in an email exchange with TechCrunch. &The consensus committee then verifies the correctness of the computation results from the computation committee. We use different mathematical and cryptographic methods to enable efficient verification of the correctness of the computation results. Once the verification succeeds, the state transition is committed to the distributed ledger by the consensus committee.&

By having the computation committee working in parallel with the consensus committee only needing to verify the correctness of the computation creates an easier path to scalability.

Other platforms have attempted to use sampling to speed up transactions over distributed systems (Hedera Hashgraph comes to mind), but have been met with limited adoption in the market.

&We use proof-of-stake mechanisms to elect instances of different types of functional committees: compute, storage and consensus committees,& Song explained. &We can scale each of the different functions independently based on workload and system needs. One of our observations of existing systems is that consensus operations are very expensive. our network protocol design allows compute committees and storage committees to process transactions without relying on heavy-weight consensus protocols.&

Songapproach has managed to gain the support of firms including:a16zcrypto, Accel,Binance, DCVC (Data Collective), Electric Capital, Foundation Capital, Metastable,Pantera,Polychain,and more.

In all, some 75 investors have rallied to finance the companyapproach to securing data and selling compute power on a cryptographically secured ledger.

&Itexciting to see talented people like Dawn and her team working on ways to transition the internet away from data silos and towards a world with more responsible waysto share and own your data,&said FredEhrsam, co-founder of Coinbase and Oasis Labs investor, in a statement.

&The next step is getting our product in the hands of developers who align with our mission and can help inform the evolution of the platform as they build applications upon it,&said Oasis Labs co-founder and CTO Raymond Cheng in a statement.

For potential customers who&d eventually use the smart contracts developed on Oasis& platform the system would work much like the method established by Ethereum.

&The token usage model in Oasis is very similar to Ethereum, where users pay gas fee to miners for executing smart contracts,& Song wrote. &One just needs one token to pay for gas fee for executing smart contracts. As with Ethereum, in our platform storage and compute have different pricing models but they both are paid with the same token.&

And Oasis& leadership is looking ahead to a marketplace that incentivizes scale and makes fees accessible. &If the token price goes up, the amount of tokens needed to pay for operations can decrease (this is similar to Ethereumgas price, which is independent from the price of Ether). The number of tokens needed to pay for smart contract execution is not fixed.&

We&d be hard-pressed to find something we love to cover more than a rapidly evolving tech startup ecosystem. Thatone of the big reasons we&re so excited to be heading back to Africa — specifically Lagos, Nigeria — to host TechCrunch Startup Battlefield Africa 2018 on December 11. With more than 300 tech hubs across the continent connecting and mentoring entrepreneurs and innovators, ita prime time to be a startup in Africa — and the perfect time to launch your startup to the world. Apply right here, right now.

Last year, our first Startup Battlefield Africa took place in Nairobi,Kenya and featured 15 amazing startups, with one winner in three different categories. This year, we&re tweaking the format a bit, so herewhat you need to know.

Any type of tech startup may apply. Highly discerning TechCrunch editors will review the applications and choose the 15 startups they deem most likely to produce an exit or IPO. The founders of the competing teams will receive free pitch coaching from TechCrunch, and they&ll be ready to face a panel of judges (recruited by our editors), all experts in their categories.

Five startups will compete in one of three preliminary rounds where they will have six minutes to pitch and present their demo. The judges will then have six minutes to ask questions. The judges will select five of the 15 startups to pitch a second time, and from that elite group of five comes one overall winner of TechCrunch Startup Battlefield Africa 2018.

In addition to an intense amount of media and investor interest, the founders of the winning startup will receive US$25,000 in no-equity cash plus a trip for two to compete in Startup Battlefield in San Francisco at our flagship event, TechCrunch Disrupt 2019 (assuming the company still qualifies to compete at the time).

Are you as excited as we are Do you want to launch your startup to the world Ready to submit your application Herewhat you need to know about eligibility. Startups should:

• Be early-stage companies in &launch& stage
• Be headquartered in one of our eligible countries*
• Have a fully working product/beta, reasonably close to or in production
• Have received limited press or publicity to date
• Have no known intellectual property conflicts

TechCrunch Startup Battlefield Africa 2018 takes place in Lagos, Nigeria on December 11. Does your startup have what it takes to win it all Your destiny awaits —apply today.

*Residents in the following countries may apply:

Angola, Benin, Botswana, Burkina Faso, Burundi, Cameroon, Cabo Verde, Central Africa Republic, Chad, Comoros, Republic of the Congo, Democratic Republic of the Congo, Cote d&Ivoire, Equatorial Guinea, Eritrea, Ethiopia, Gabon, Gambia, Ghana, Guinea, Guinea-Bissau, Kenya, Lesotho, Liberia, Madagascar, Malawi, Mali, Mauritania, Mauritius, Mozambique, Namibia, Niger, Nigeria, Rwanda, Sao Tome and Principe, Senegal, Seychelles, Sierra Leone, Somalia, South Africa, South Sudan, Swaziland, Tanzania, Togo, Uganda, Zambia and Zimbabwe. Notwithstanding anything to the contrary in the foregoing language, the &Applicable Countries& does not include any country to or on which the United States has embargoed goods or imposed targeted sanctions (including, but not limited to, Sudan).

Timehophas disclosed a security breach that has compromised the personal data (names and emails) of 21 million users (essentially its entire user base). Around a fifth of the affected users — or 4.7M — have also had a phone number that was attached to their account breached in the attack.

The startup, whose service plugs into users& social media accounts to resurface posts and photos they may have forgotten about, says it discovered the attack while it was in progress,at 2:04 US Eastern Time on July 4, and was able to shut it down two hours, 19 minutes later — albeit, not before millions of peopledata had been breached.

According to its preliminary investigation of the incident, the attacker first accessed Timehopcloud environment in December — using compromised admin credentials, and apparently conducting reconnaissance for a few days that month, and again for another day in March and one in June, before going on to launch the attack on July 4, during a US holiday.

Timehop publicly disclosed the breach in a blog poston Saturday, several days after discovering the attack.

It says no social media content, financial data or Timehop data was affected by the breach — and its blog post emphasizes that none of the content its service routinely lifts from third party social networks in order to present back to users as digital &memories& was affected.

However the keys that allow it to read and show users their social media content were compromised — so it has all keys deactivated, meaning Timehop users will have to re-authenticate to its App to continue using the service.

&If you have noticed any content not loading, it is because Timehop deactivated these proactively,& it writes, adding: &We have no evidence that any accounts were accessed without authorization.&

It does also admit that the tokens could &theoretically& have been used for unauthorized users to access Timehop users& own social media posts during &a short time window& — although again it emphasizes &we have no evidence that this actually happened&.

&We want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile,& it adds.

&The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don&t store copies of your social media profiles, we separate user information from social media content — and we delete our copies of your &Memories& after you&ve seen them.&

In terms of how its network was accessed, it appears that the attacker was able to compromise Timehopcloud computing environment by targeting an account that had not been protected by multifactor authentication.

Thatvery clearly a major security failure — but one Timehop does not explicitly explain, writing only that:&We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.&

Part of its formal incident response, which it says began on July 5, was also to add multifactor authentication to &all accounts that did not already have them for all cloud-based services (not just in our Cloud Computing Provider)&.So evidently there was more than one vulnerable account for attackers to target.

Its exec team will certainly have questions to answer about why multifactorauthentication was not universally enforced for all its cloud accounts.

For now, by way of explanation, it writes: &There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades.& Which does have a distinct ‘stable door being locked after the horse has bolted& feel to it.

It also writes that it carried out &the introduction of more pervasive encryption throughout our environment& — so, again, questions should be asked why it took an incident response to trigger a &more pervasive& security overhaul.

Also not entirely clear from Timehopblog post: When/if affected users were notified their information has been breached.

The company posed the blog post disclosing the security breach to its Twitter account on July 8.But prior to that its Twitter account was only noting that some &unscheduled maintenance& might be causing problems for users accessing the app…

We&ve reached out to the company with questions and will update this post with any response.Update: A Timehop spokesman says individual users are being notified as they log back in to the app.

&An email to the entire user base is in the works for today,& he tells TechCrunch. &[It] took some time to get our send grid account ready for that many emails as we are not a big email sender in general.&

In its blog about the incident, Timehop says that at the same time as it was working to shut down the attack and tighten up security,company executives contacted local and federal law enforcement officials — presumably to report the breach.

Breach reporting requirements are baked into Europerecently updated data protection framework, the GDPR, which puts the onus firmly on data controllers to disclose breaches to supervisory authorities — and to do so quickly — with the regulation setting auniversal standard of within 72 hours of becoming aware of it (unless the personal data breach is unlikely to result in &a risk to the rights and freedoms of natural persons&).

Referencing GDPR, Timehop writes: &Although the GDPR regulations are vague on a breach of this type (a breach must be &likely to result in a risk to the rights and freedoms of the individuals&), we are being pro-active and notifying all EU users and have done so as quickly as possible. We have retained and have been working closely with our European-based GDPR specialists to assist us in this effort.&

The company also writes that it has engaged the services of an (unnamed)cyber threat intelligence company to look for evidence of use of the email addresses, phone numbers, and names of users being posted or used online and on the Dark Web — saying that &while none have appeared to date, it is a high likelihood that they will soon appear&.

Timehop users who are worried the network intrusion and data breach might have impact their &Streak& — aka the number Timehop displays to denote how many consecutive days they have opened the app — are being reassured by the company that &we will ensure all Streaks remain unaffected by this event&.