Spotify’s leanback instant listening app Stations hits iOS

Spotify has launched its instant listening app Stations on iOS, but only in Australia for the time being. The release comes nearly a year and a half after the Stations app first arrived on the market, initially for Android users in Australia. Dubbed an “experiment,” the app allows users to jump right into streaming instead of having to curate their own playlists or stations, or save favorite music to their library.

Unlike Spotify’s flagship application, the Stations app presents users with a minimalist interface where available playlists are displayed with an oversized font. You can scroll up and down between the playlists to select one, instead of typing in a search box or searching through voice commands.

When launching Stations, music begins playing automatically — a feature that had some calling it a “Pandora copycat” at the time of launch, given that instant music playback is something that Spotify’s rival Pandora already supports.

Stations was largely designed for those who want a more radio-like experience that involves less manual input. Free users will hear ads, be able to thumbs up and down songs, but can’t skip tracks. Premium users who download Stations get unlimited skips and ad-free listening.

The Stations app today features a range of playlists by genre, decade, activity and more, but also becomes personalized to the end-user over time. You can also opt to create your own stations by selecting from favorite artists in an experience that’s reminiscent of the customization offered today by YouTube Music — right down to the rounded artist profile photos you tap on.

As you listen to music on Stations, you can thumbs up and down songs in order to have it create custom stations personalized to you — including a Discover Weekly playlist, Release Radar, and a Favorites playlist.

Not much had been heard about Stations since its January 2018 debut. And its limited release — it never hit the U.S., for example — could have indicated it was an experiment that didn’t quite pan out.

But it now seems that’s not the case, given the new expansion to iOS.

By offering the app to more users, Spotify has the chance to learn and collect data from a larger and more representative group of people. Whether or not it takes any ideas from Stations to its main app remains to be seen.

The company declined to comment on its plans, when asked.

“At Spotify, we routinely conduct a number of tests in an effort to improve our user experience,” a spokesperson said. “Some of those tests end up paving the path for our broader user experience and others serve only as an important learning. We aren’t going to comment on specific tests at this time,” they added.

Stations is live now on iOS in Australia. More information on the app is on the (newly updated) Help site here.

Source: Tech Crunch

Liam O’Connor, hired to help build Lyft’s bike and scooter business, has left after 7 months

The emerging business of offering bikes and scooters on demand has not always been very smooth, and today comes one of the latest bumps: TechCrunch has learned and confirmed that Liam O’Connor, an executive hired to help transportation company Lyft build its bike and scooter operations, has left after seven months with the newly-public company.

The change comes some two weeks after Lyft had to pull thousands of e-bikes off the roads in New York, San Francisco and Washington, DC due to faulty brakes. Lyft says that the move is not due to this, but to O’Connor deciding to take a job “close to his heart.”

“Yes, he’s taking on a new role that is close to his heart where he will be spending much of his time out of the country, and will remain a close advisor to Lyft,” a spokesperson said in a statement. “We’ve elevated an internal candidate who has been an outstanding product leader for the past two years and we’re excited to continue the progress we’ve made with Lyft Bikes and Scooters.”

We understand that O’Connor will be joining Zipline, the startup that delivers medicine by drone in Africa. He is being replaced by Dor Levi, who had been Lyft’s director of product for Marketplace, Shared Rides, Transit, and Bikes and Scooters (and had also spent some time at Uber in the middle of his years at Lyft) is the new head of the division, with John Zimmer — Lyft’s co-founder and president — also spending significant time on the operation.

O’Connor isn’t the only person who has recently left the business. Justine Lee, who has been general counsel (leading on legal and regulatory) for Lyft Bikes, is leaving the company. Others include Lynn Fischer, who had been head of marketing and growth for Citi Bikes, left back in December, and Jelle Vastert, who had been recruited to help run the bike and scooter division but left after four months last year — from what we understand because of a change of heart about relocation (he’s based in The Netherlands).

Another significant personnel change in the bike and scooter division was that in March, some 50 people were let go.

There are clearly different reasons behind these various changes, but collectively the departures and some of the other events like the e-bikes getting pulled over technical problems underscore the challenges in forging into the new business area, and some of the instability that comes along with all that.

O’Connor was a high profile hire when he joined as chief procurement officer and head of the bike and scooter division in November 2018 — having held top supply positions at Tesla and before that Apple.

O’Connor’s joining Lyft ahead of its IPO was a signal of how the company planned to continue diversifying its business into different modes of transportation beyond private vehicles.

That diversification is seen as an essential step for highly capitalised transportation-on-demand businesses to take as a way of leveraging their scale and brand to reach a wider range of users and use-cases. (It’s a strategy that is also being followed by Uber.)

Lyft’s own efforts in diversifying into multi-modal transporation have seen some downs, but also some ups.

In terms of progress, the company has now integrated Citi Bike into the Lyft app and is planning to expand the bike sharing effort to more cities. And it recently won a bid to be the exclusive bikeshare provider in Chicago for the next nine years. In scooters, it’s now in 15 markets, showing steady progress on that front. From what we understand, Lyft is still very committed to growing that area of its business.

Source: Tech Crunch

How German and US authorities took down the owners of darknet drug emporium Wall Street Market

The major darknet marketplace known as the Wall Street Market have been seized and its alleged operators arrested in a joint operation between European and U.S. authorities. Millions in cash, cryptocurrency, and other assets were collected, and the markets shut down. How investigators tied these anonymity-obsessed individuals to the illegal activities is instructive.

The three men accused of running Wall Street Market (WSM), one of the larger hidden service markets operating via the Tor network, are all German citizens: Tibo Lousee, Jonathan Kalla, and Klaus-Martin Frost; several vendors from the market have also been charged, including one who sold meth on it by the kilogram.

The investigation has been ongoing since 2017, but was pushed to a crisis by the apparent attempt in April by WSM’s operators to execute an exit scam. By suddenly removing all the cryptocurrency held in escrow and otherwise stored under their authority, the alleged owners stood to gain some $11 million if they were able to convert the coins.

Until recently Wall Street Market was a bustling bazaar for illegal goods, including dangerous drugs like fentanyl and physical items like fake documents. It had over a million user accounts, some 5,400 vendors, and tens of thousands of items available for purchase. It has grown as other darknet marketplaces have been cornered and shut down, driving users and sellers to a dwindling pool of smaller platforms.

Whether the owners sought simply to parley this growth to a quick cash grab or whether they sensed the law about to knock down their door, the exit scam was undertaken on April 16.

This action prompted investigators in the U.S., Germany, and Europol to take action, as this exit scam marked not only an opportunity for investigators to gather and observe fresh evidence of the trio’s alleged crimes, but waiting much longer might let them go to ground and launder their virtual goods.

The DOJ complaint details the means by which the three administrators of the site were linked to it, despite their attempts to anonymize their access. It isn’t unprecedented stuff, but it’s always interesting to read through the step-by-step forensics that lead to charges, since it can be very difficult to tie real-world actors to virtual entities.

For Frost, it was an unstable VPN connection that did for him, plus some sleuthing by the German federal police, the Bundeskriminalamt or BKA:

The WSM administrators accessed the WSM infrastructure primarily through the use of two VPN service providers. On occasion, VPN Provider #1 connection would cease, but because that specific administrator continued to access the WSM infrastructure, that administrator’s access exposed the true IP address of the administrator

The individual utilizing the above-referenced IP address to connect to the WSM infrastructure used a device called a UMTS-stick (aka surfstick) [i.e. a dongle for mobile internet access]. This UMTS-stick was registered to a suspected fictitious name.

The BKA executed multiple surveillance measures to electronically locate the specific UMTS-stick. BKA’s surveillance team identified that, between February 5 and 7, 2019, the specific UMTS-stick was used at a residence of Lousee in Kleve, Northrhine-Westphalia (Germany), and his place of employment, an information technology company where Lousee is employed as a computer programmer. Lousee was later found in possession of a UMTS stick.

Some other circumstantial evidence also tied Lousee to the operation, such as similar login names, mentions of drugs and cryptocurrencies, and so on. (“Based on my training and experience as an investigator, I am aware that ‘420’ is a reference to marijuana,” writes the special agent who authored the complaint.)

Kalla’s VPN held strong, but the metadata betrayed him:

An IP address assigned to the home of this individual (the account for the IP address was registered in the name of the suspect’s mother) accessed VPN Provider #2 within similar rough time frames as administrator-only components of the WSM server infrastructure were accessed by VPN Provider #2.

Hardly a hole in one, but Kalla later admitted he was the user agent in question. This is a good example of how a VPN can and can’t protect you against government snooping. It may disguise your IP to certain systems, but anyone with a bird’s-eye view can see the obvious correlation between one connection and another. It won’t hold up in court on its own, but if the investigators are good it won’t have to.

Frost, the third administrator, required a more subtle approach, but ultimately it was again poor opsec, this time an unwise cross-contamination of his cryptographic and cryptocurrency accounts:

The PGP public key for [WSM administrative account] ‘TheOne’ is the same as the PGP public key for another moniker on [another hidden service] Hansa Market, ‘dudebuy.’ As described below, a financial transaction connected to a virtual currency wallet used by FROST was linked to ‘dudebuy.’

[The BKA] located the PGP public key for ‘TheOne’ in the WSM database, referred to as ‘Public Key 1’.

Public Key 1 was the PGP public key for ‘dudebuy.’ The ‘refund wallet’ for ‘dudebuy’ was Wallet 2.

Wallet 2 was a source of funds for a Bitcoin transaction… Records obtained from the Bitcoin Payment Processing Company revealed buyer information for that Bitcoin transaction as ‘Martin Frost,’ using the email address klaus-martin.frost@…

Essentially A is B, and B is C, so A is C. This little deductive trick is handy, but bitcoin wallets used by Frost were also identified through analysis by the U.S. Postal Inspection Service, which, if you didn’t know, has “a highly trained, skilled and committed cyber unit.”

The United States Postal Inspection Service learned, through its analysis of Blockchain transactions and information gleaned from the proprietary software described above, that the funds from Wallet 2 were first transferred to Wallet 1, and then “mixed” by a commercial service; mixing services is described above at paragraph 4.m. Through thorough analysis, the United States Postal Inspection Service was able to “de-mix” the flow of transactions, to eventually ascertain that the money from Wallets 1 and 2 ultimately paid FROST’s account at the Product Services Company.

Here the blockchain’s indelible record clearly worked against Frost. Wallet 1, by the way, handled thousands of bitcoins during its use in association with another darknet marketplace, German Plaza Market — which the three charged today also allegedly ran and shut down via an exit scam.

In addition to the administrators, some vendors and others associated with the site were charged. They were identified via more traditional means and their activities linked to the market in such a way that defense seems a lost cause. The record for a Brazilian man who operated as a dealer and as a sort of representative for WSM on Reddit and forums is an interesting study in the web of suggestive accounts and names that produce a damning, if circumstantial, depiction of a person’s associations and interests, from the banal to the criminal.

“The prosecution of these defendants shows that even the smallest mistake will allow us to figure out a cybercriminal’s true identity,” said U.S. Attorney McGregor W. Scott in the DOJ press release. “We are on the hunt for even the tiniest of breadcrumbs.”

Cases against the alleged criminals will be held in multiple locations and under multiple authorities — it’s safe to say this is just the beginning of a long, complicated process for everyone involved.

Source: Tech Crunch

Solving tech’s stubborn diversity gaps

Twenty years after Jesse Jackson first took aim at tech employers, Silicon Valley’s enduring diversity gaps remain a painful reminder of its origins as a mostly white boy’s club.

Sadly, little has changed in the decades since the campaign first made headlines. Today, just 7.4 percent of tech industry employees are African-American, and 8 percent are Latinx. Workers at Google, Microsoft, Facebook and Twitter — according to those companies’ own reports — were just 3 percent Hispanic and 1 percent black in 2016.

In some ways, tech’s equity gaps reflect a simple supply and demand imbalance. But it is an imbalance with artificial constraints. Because while Black and Hispanic students now earn computer science degrees at twice the rate that they are hired by leading tech companies, they are all but invisible to most recruiters.  

The problem stems from the fact that tech employers tend to recruit from a tiny subset of elite U.S. colleges.  Which means they may never come into contact with, for example, the 20 percent of black computer science graduates who come from historically black colleges and universities. Thousands of talented candidates are overlooked each year because they graduate from less-selective public universities, minority-serving institutions or women’s colleges — schools that exist far outside the elite network where tech employers recruit.

As a result, the recruiting practices of Silicon Valley actually compound the structural race and economic inequities that are endemic at every step of the education-to-career ladder. The number of segregated schools in the United States has doubled over the past 20 years. Poor and minority students often lack SAT and ACT test preparation, college advising services and after-school or extracurricular options. Just 3 percent of the students at the most competitive colleges are from the lowest economic quartile. And even those who make their way through the admissions industrial complex face college-to-career barriers like unpaid internships, which are more than many less-affluent students can endure.

Failure to broaden their aperture for talent means that even the best-intentioned diversity initiatives leave companies competing for the tiny pool of engineers of color who graduate from the top programs.

Inequities have plagued the tech world since Ada Lovelace coded the first computer program in 1842.

To move the needle on diversity, employers must move beyond filtering outputs of top computer science programs and focus on changing the inputs. They must invest in building industry-aligned programs at colleges and universities that are attended by more diverse students, but may lack the know-how to build — and keep current — curricula that prepare students to thrive in an increasingly dynamic tech industry. They can partner with institutions falling into the well-worn traps of academia, teaching theory without application, or relying on dated practices that leave graduates unprepared for the labor market.

A growing number of employers have begun to take such an approach, partnering with institutions that harbor underrepresented talent to transform their computer science programs.

Facebook has partnered with institutions, including the City College of New York, to create industry-relevant courses, and committed to funding the training of 3,000 Michigan workers for jobs in digital marketing. Last year, Facebook invested $1 million in an effort to teach computer science to more women and underrepresented minorities.

In 2015, Intel announced a $300 million effort to diversify its workforce by 2020.Since then, the company has launched a $4.5 million program to help STEM students at historically black colleges stay on track. In 2017, Howard University opened a campus at Google’s headquarters, offering students a three-month program in which they can receive instruction from both Howard faculty and engineers at Google. A year later, Howard leaders said the partnership helped lead to a 40 percent increase in computer science enrollment at the university.

Inequities have plagued the tech world since Ada Lovelace coded the first computer program in 1842 — only to lose her place in the textbooks to the men who capitalized on her insights while denying her contributions. Today, fluency in high-tech skills and knowledge is no longer controlled by an elite few. Opportunity, however, can remain stubbornly fixed.

Top tech companies have already taken the first step by activating the search for underrepresented talent. The next step is to broaden their search beyond elite campuses and invest in the education of underrepresented students.

It will take wholesale collaboration between employers and colleges to provide meaningful, relevant computer science education to any student on any campus. But such partnerships hold the promise of addressing the diversity gaps that blight our industry at its roots.

Source: Tech Crunch

Hundreds of Orpak gas station systems can be easily hacked thanks to hardcoded passwords

Homeland Security’s cybersecurity agency says a popular gas station software contains several security vulnerabilities that require “low skill” to exploit.

The advisory, posted by the Cybersecurity and Infrastructure Security Agency (CISA), gave the Orpak SiteOmat software a rare vulnerability severity rating of 9.8 out of 10.

Orpak’s SiteOmat systems monitor the amount of fuel stored in a gas station’s tanks, as well as their temperature and pressure. The software also sets the price of the gas and processes card payments. Its user interface is password protected, preventing unauthorized access to its data or configuration.

According to the advisory, the software contained a hardcoded password set by the manufacturer, which if used would grant unfettered access to the system.

CISA didn’t publish the password.

The advisory said an attacker could gain access to the system’s configuration, including payment information, or shut down the system altogether, preventing customers from buying gas. Worse, the bugs are remotely exploitable, putting any internet-connected SiteOmat device at risk.

A cursory search of Shodan, a search engine for publicly available devices and databases, revealed more than 570 Orpak systems are connected to the internet out of more than 35,000 service stations across 60 countries.

Most of the exposed systems are located in the U.S.

The software also has several other flaws that can be remotely exploited, including code injection and buffer overflow vulnerabilities.

Ido Naor, a security researcher with Kaspersky Lab, was credited with finding the bugs — the second time in as many years. Last year, Naor and his colleague Amihai Neiderman found near-identical flaws in the SiteOmat, including another hardcoded password. The buffer overflow flaw would not only let an attacker gain access to the system but also erase its logs, wiping any evidence of their activity.

CISA said the bugs had been fixed in a new software version — v6.4.414.139 — but customers have to request the update from Orpak directly.

A spokesperson for Orpak parent company Gilbarco Veeder-Root did not immediately return a request for comment.

Source: Tech Crunch

Facebook bans a fresh batch of mostly far-right figures

Facebook just announced a new round of controversial accounts that will be kicked off the platform for violating its rules. In this instance, Facebook cited its policy against “dangerous individuals and organizations” to bring the ban hammer down on Milo Yiannopoulos, Paul Joseph Watson, Laura Loomer, Paul Nehlen, Louis Farrakhan. The company also doubled down on its position toward Alex Jones and his popular conspiracy website Infowars.

“We’ve always banned individuals or organizations that promote or engage in violence and hate, regardless of ideology,” a Facebook spokesperson told TechCrunch via email. “The process for evaluating potential violators is extensive and it is what led us to our decision to remove these accounts today.”

While most people in that cluster of names are far right media figures, Farrakhan is best known for leading the Nation of Islam and has faced ongoing criticism for anti-semitism. Nehlen is a fringe political figure who ran against Paul Ryan in 2018 while openly espousing white supremacist views.



Beyond just banning these accounts, Facebook will restrict content from other users that promotes banned figures if they are linked to hate groups or known to incite violence. The company will not take this more comprehensive approach to accounts that don’t meet this threshold. We’ve reached out to Facebook for clarification on which figures fall into each camp. Update: None of the names from today meet Facebook’s criteria and content promoting all of these figures will still be allowed.

At the time of writing, some of the accounts banned today appeared to still be online and accessible, including an Instagram account belonging to Yiannopoulos. Some of the names on Facebook’s new ban list were previously banned on other mainstream platforms. Following the ban, Paul Watson leveraged his Twitter account to protest the company’s actions. “The media was tipped off an hour before Facebook banned me,” Watson tweeted. “They’re in cahoots.”

Facebook previously announced a ban for Jones in 2018 and again did a sweep for accounts linked to Jones in February. In spite of the Facebook ban, Jones was allowed to maintain his presence on Instagram due to the fact that less than 30% of his content violated the platform’s rules.

Source: Tech Crunch

Awair raises $10M to help customers like WeWork monitor their office environments

Monitoring a space is about a lot more than security cameras, Awair is trying to help businesses and consumers more deeply understand the environments they live and work in.

Awair has raised a $10 million Series B led by The Westly Group with participation from iRobot, Altos Ventures, Emerson Electric and Nuovo Capital as well. The company has raised over $21 million to date.

The company has previously just been plugging along with air-quality monitors that look like they belong in the MoMa. Awair’s $199 monitor senses things like particulate matter, temperature, humidity, and CO² levels. They’ve built out their product line with a couple other devices but they’re largely targeting air-conscious consumers that might have allergies of another ailments and “design moms” who are looking to get some well-designed tech into their home.

The information all plugs into an app that helps consumers understand what’s happening in their home and get tips for how they can improve air quality.

As the company looks to make venture-worthy returns, it’s been scaling beyond the consumer IoT space into the world of enterprise IoT with its Omni product that Await has been selling to large real estate firms, offices and hospitals aiming to give companies more insight into what life is like in every corner of their physical spaces.

The devices measure the same things their consumer products do but also can track ambient light and noise in space, and pipe all of that data into a dashboard that can help businesses automate how they push their existing building infrastructure like their HVAC systems to respond to changes in the environment.

While Awair has been selling consumer IoT devices since 2015, its business product is about 18 months old, and a big part of this fundraise is to bring a sales staff onboard to keep the pace of enterprise expansion, which has been faster growing than the consumer business.

The company says they have more than 300 enterprise customers on the platform, including WeWork, Airbnb, Harvard, and The Crown Estate.

Source: Tech Crunch

Takeaways from F8 and Facebook’s next phase

Extra Crunch offers members the opportunity to tune into conference calls led and moderated by the TechCrunch writers you read every day. This week, TechCrunch’s Josh Constine and Frederic Lardinois discuss major announcements that came out of Facebook’s F8 conference and dig into how Facebook is trying to redefine itself for the future.

Though touted as a developer-focused conference, Facebook spent much of F8 discussing privacy upgrades, how the company is improving its social impact, and a series of new initiatives on the consumer and enterprise side. Josh and Frederic discuss which announcements seem to make the most strategic sense, and which may create attractive (or unattractive) opportunities for new startups and investment.

“This F8 was aspirational for Facebook. Instead of being about what Facebook is, and accelerating the growth of it, this F8 was about Facebook, and what Facebook wants to be in the future.

That’s not the newsfeed, that’s not pages, that’s not profiles. That’s marketplace, that’s Watch, that’s Groups. With that change, Facebook is finally going to start to decouple itself from the products that have dragged down its brand over the last few years through a series of nonstop scandals.”

(Photo by Justin Sullivan/Getty Images)

Josh and Frederic dive deeper into Facebook’s plans around its redesign, Messenger, Dating, Marketplace, WhatsApp, VR, smart home hardware and more. The two also dig into the biggest news, or lack thereof, on the developer side, including Facebook’s Ax and BoTorch initiatives.

For access to the full transcription and the call audio, and for the opportunity to participate in future conference calls, become a member of Extra Crunch. Learn more and try it for free. 

Source: Tech Crunch

Final Niantic EC-1 lessons, F8 call, Slack, WeWork, and TED

Live Conference Call: Josh Constine and Frederic Lardinois talk all things F8 in just a bit

Facebook’s annual F8 conference is in full swing, with major redesigns of the company’s apps and all sorts of news trickling out of San Jose. We have Josh Constine and Frederic Lardinois on the ground talking to everyone, and now we invite all EC members to join us for a live conference call today at 5pm EST / 2pm PST (i.e. about an hour or so from now).

Dial-in information will be sent an hour before the call to all Extra Crunch members.

Niantic EC-1, Part 4: Nine lessons on growth

Greg Kumparak warps up his massive dive into the (virtual) world of Niantic, the producer behind Pokémon GO and Harry Potter: Wizards Unite. In this final conclusion, he takes stock of all the lessons learned from the company and how Niantic’s methods turned it into a $4 billion AR behemoth:

Source: Tech Crunch

Job recruitment site Ladders exposed 13 million user profiles

Ladders, one of the most popular job recruitment sites in the U.S. specializing in high-end jobs, has exposed more than 13.7 million user records, following a security lapse.

The New York-based company left an Amazon -hosted Elasticsearch database exposed without a password, allowing anyone to access the data. Sanyam Jain, a security researcher and a member of the GDI Foundation, a non-profit aimed at securing exposed or leaking data, found the database and reported the findings to TechCrunch in an effort to secure the data.

Within an hour of TechCrunch reaching out, Ladders had pulled the database offline.

Marc Cenedella, chief executive, confirmed the exposure in a brief statement. “AWS confirms that our AWS Managed Elastic Search is secure, and is only accessible by Ladders employees at indicated IP addresses. We will look into this potential theft, and would appreciate your assistance in doing so,” he said.

TechCrunch verified the data by reaching out to more than a dozen users of the site. Several confirmed their data matched their Ladders profile. One user who responded said they are “not using the site anymore” following the breach.

Each record included names, email addresses, and their employment histories, such as their employer and job title. The user profiles also contain information about the industry they’re seeking a job in and their current compensation in U.S. dollars.

Many of the records also contained detailed job descriptions of their past employment, similar to a résumé.

Although some of the data was publicly viewable to other users on the site, much of the data contained personal and sensitive information, including email addresses, postal addresses, phone numbers and their approximate geolocation based off their IP address.

The database contained years’ worth of records.

Some records included their work authorizations, such as whether they are a U.S. citizen or if they are on a visa, such as an H1-B. Others listed their U.S. security clearance alongside their corresponding jobs, such as telecoms or military.

More than 379,000 recruiters information was also exposed, though the data wasn’t as sensitive.

Security researcher Jain recently found a leaking Wi-Fi password database and an exposed back-end database for a family tracking app, including the real-time location data of children.

Read more:

Source: Tech Crunch