WhatsApp Text Status Comes Back to iPhone as ‘About’: How to Get and Use It

WhatsApp has tried to curb the outrage over the removal of the text status feature by quickly bringing it back. The Facebook-owned company brought back the feature earlier this week for Android and soon after rolled it back for iPhone users as well.

The latest WhatsApp for iPhone update will get you your old text status back. All you need to do is head on over to the App Store and download the latest version of WhatsApp (v2.17.10). As the update description reads, the new text status feature is now called About. The update also brings a few other features including playing videos without downloading completely, a new moon icon for capturing better photos and videos better under low-light conditions and 3D Touch support for directly cropping an image.

WhatsApp Text Status Comes Back to iPhone as 'About': How to Get and Use It

After updating WhatsApp for iPhone, you’ll find the new About section by tapping on Settings in WhatsApp and tapping once agin on your profile name on top. You’ll find About at the bottom of the screen, most likely showing your last updated status before it was removed. You can now edit your status the way you want and be certain that it won’t disappear with 24 hours. Your contact list will be able to view your status message by opening your contact, starting a new chat thread or viewing your info in a group.

Of course, the new Snapchat-like disappearing photos and videos feature is still very much present and WhatsApp has no plans to remove it any time soon. Interestingly, WhatsApp’s parent company Facebook also rolled out a similar feature earlier this month for its Messenger app, called Messenger Day while Facebook-owned Instagram also got this feature last year.

Notably, Facebook has been working on a number of new features for its site and Messenger app to make it more fun and conversational. The social media giant on Friday introduced two new features for Messenger, called Message Reactions and Mentions. Facebook is also reportedly testing the ability to add GIFs to comments from services like Giphy and Tenor.

Nokia 150 Dual SIM Feature Phone Now Available in India at Rs. 2,059

HMD Global announced its first Nokia-branded phones with the Nokia 150 and Nokia 150 Dual SIM feature phones back in December last year. The company had mentioned then that the phones will go on sale in the first quarter of 2017, and now the Nokia 150 Dual SIM has been spotted online on Amazon India and Flipkart priced at Rs. 2,059.

Nokia 150 Dual SIM Feature Phone Now Available in India at Rs. 2,059

The Nokia 150 Dual SIM features a polycarbonate shell which is offered in a choice of Black or White on Flipkart and only Black on Amazon India. The feature phone sports a 2.4-inch QVGA (240×320 pixels) display and runs on Nokia Series 30+ operating system. The phone offers an expandable storage via microSD card (up to 32GB).

The Nokia 150 Dual SIM houses a 1020mAh battery which claims to offer up to 22 hours of battery life with a standby time of up to 25 days. The phone measures 117x50x13mm and weighs around 82 grams. Additional features include an MP3 player, FM radio, Bluetooth v3.0 with SLAM, and a VGA camera with an LED flash.

The Nokia 150 Dual SIM feature phone is expected to come with pre-loaded with Snake Xenzia, and the try-and-buy version of Nitro Racing by Gameloft2, based on what HMD Global had said at the time of announcement.

HMD Global recently unveiled a slew of Nokia-branded devices at MWC 2017 including the first set of Android-powered Nokia smartphones with Nokia 3, Nokia 5 and Nokia 6. The company also added a dash of nostalgia by announcing a redesigned Nokia 3310, which is expected to launch ahead of the Android phones.

The company also confirmed on Friday that the Nokia 3, Nokia 5 and Nokia 6 smartphones will launch in the second quarter (April – June) in 120 markets including India at the same time at “affordable prices”.

US Senate Says ISPs Free to Sell Customer Information Without Permission

The Senate voted to kill Obama-era online privacy regulations , a first step toward allowing Internet providers such as Comcast, AT&T and Verizon to sell your browsing habits and other personal information as they expand their own online ad businesses.

Those rules, not yet in effect, would have required Internet providers to ask your permission before sharing your personal information. That’s a much stronger privacy-protection weapon than letting them use your data until you tell them to stop. As anyone who has ever tried to stop getting targeted ads on the Internet knows, opting out is hard.

Without those protections, consumer advocates fear that broadband providers will be able to do what they like with people’s data.

US Senate Says ISPs Free to Sell Customer Information Without Permission

“Advertisers and marketers are lining up to get access to all the information that’s now available about us,” said Jeff Chester of the Center for Digital Democracy, which advocates for tougher Internet privacy measures.

Online privacy? what online privacy?
Of course, Google and Facebook already track you. But proponents of the privacy measure argued that the company that sells you your Internet connection can see even more about you: every website you visit, every app that sends or receives data, everyone you email and many that you message. Telecom companies argue that companies like Google know far more about users than they do.

Consumer advocates also point out that it can be hard, in many areas of the country, to dump your cable or phone company for another one if you don’t like its practices. Of course, it’s also hard to stop using Google or Facebook.

Undoing the Federal Communications Commission’s regulation leaves people’s online information in a murky area. Today, you can tell a broadband provider not to use your data. Experts say federal law still requires broadband providers to protect customer information – but it doesn’t spell out how or what companies must do.

That’s what the now endangered rules from the Federal Communications Commission aimed to do. “There’s kind of a void,” said Perkins Coie telecom attorney Marc Martin.

Building digital-ad businesses
Cable companies, cellphone carriers and the advertising industry attacked the FCC rules as an overreach. Having to get permission from customers to use their browsing and app histories would likely make it more difficult to build stronger ad businesses, as telecom companies want to do.

Internet companies like Google operate under laxer requirements and don’t have to ask users’ permission before tracking what sites they visit. Republicans and industry groups have blasted that discrepancy, saying it was unfair and confusing for consumers.

Regulatory tussle
If the just-passed measure also clears the House and is signed by President Donald Trump, no future FCC could pass the broadband privacy rules again without further change to US law.

The Trump-appointed chairman of the FCC, Ajit Pai, is a critic of the broadband privacy rules and has said he wants to roll them back, along with other Obama-era policies meant to protect consumers and promote competition.

He and other Republicans want a different federal agency, the Federal Trade Commission, to police privacy for both broadband companies like AT&T and Internet companies like Google. But broadband providers don’t currently fall under FTC jurisdiction, and advocates say the FTC has historically been a weaker agency than the FCC.

“At the FCC, consumers are much more protected with strong privacy rules that give (Internet service providers) clear rules as to what’s fair and what’s foul,” Dallas Harris, a policy fellow with consumer advocacy group Public Knowledge, said last month. “The FCC is a stronger entity with a bit more teeth to hold ISPs’ feet to the fire.”

iCloud Not Hacked, but Some Passwords in Criminals’ Possession Reportedly Genuine

Apple has denied that its security has been compromised, following ransom demands from a criminal group that claims it has the usernames and passwords of hundreds of millions of iCloud and Apple email accounts. However, independent verification of samples of this set provided to media outlets indicate that at least some of them are in fact genuine, and that users should be worried.

The relatively unknown organisation calling itself Turkish Crime Family says it will remotely wipe users’ devices and the contents of their accounts on April 7 if Apple does not pay each of its seven members $100,000.

iCloud Not Hacked, but Some Passwords in Criminals' Possession Reportedly Genuine

The group has released evidence that it is in contact with Apple’s security team, and has also proactively reached out to various international media organisations to bolster its claims. A public Pastebin post and several tweets describe frustration with reporting of the situation, and clarify that the group never claimed to have hacked Apple directly, but the accounts are genuine and were gathered from multiple insecure third-party sources.

The Turkish Crime Family further claims to be able to reset 150 accounts per minute using 17 scripts running simultaneously on each of its 250 servers, for a total of 637,500 accounts per minute. Those servers have purportedly already verified 250 million of the Apple IDs in the group’s possession, with more being added after checking for simple password modifications such as the capitalisation of the first letter.

ZDNet and TNW have both investigated the situation, and report that while some of the accounts are several years old and not functional, many others are. ZDNet reached out to the Turkish Crime Family and was given a small sample of 54 user IDs and says that Apple’s password reset page accepts them all as valid accounts. ZDNet then tried contacting the users in question, and managed to confirm that ten of the passwords it was given were correct and still in use.

All ten individuals said that they had not changed their passwords since creating their accounts several years ago. One other respondent said that the password in ZDNet’s possession was correct in the past but had been changed by him two years ago, which means at least some of the breach occurred longer ago than that.

Among those contacted, there was no common pattern of ownership of specific Apple devices or using specific iCloud or Apple ID features. While many respondents admitted to using the same password for other major services, three said that their passwords were used only for iCloud, opening up the possibility that this data was harvested from sources other than third-party breaches.

TNW was also provided a sample, and says that it cross-referenced them with accounts known to have been harvested from the massive LinkedIn breach. However, only a few accounts matched, indicating that those users were simply using common email addresses and passwords across services.

No matter whether Apple itself was compromised or not, and whether these credentials have been collated from one breach or multiple sources over multiple years, anyone with an Apple ID should change their passwords immediately and enable two-factor authentication to prevent unauthorised access. This covers Me.com and iCloud.com email accounts, iTunes store accounts, and iCloud itself.

Koho, a mobile-only suite of financial services for millennials, launches in Canada

The world of consumer financial services has been turned upside down by the rise of newer technology like apps and the growing expectation from people that they should have a lot more flexibility and access when it comes to controlling how they spend and save their money. The latest development on this comes out of Canada, where a new startup called Koho is launching a service aimed at millennials (first in Canada, and then in Southeast Asia and Latin America) to provide them with a new way to manage their money, free of charge after creating accounts in under three minutes.

The service will come in the form of an app, first for iPhone and Apple Watch, and eventually on Android, too.

Koho, it should be made clear, is not a bank (it doesn’t have a license), but it has partnered with Canadian bank the Peoples Trust Company in a white-label deal, along with Visa, to provide a range of services to its customers including a “smart spending account”, a mobile app, and a Koho Visa Card.

Koho is the brainchild of an entrepreneur in Vancouver called Daniel Eberhard, who has been working on the product in stealth for the past two years with 2.6 million Canadian dollars (around US$2 million) in backing from investors that include David Tedman from Hootsuit and Shopify co-founder Scott Lake, along with the Power Corporation of Canada and VCs Gil Penchina and Stanley Park Ventures.

The Power Corp. is a strategic investor: the company is a $13 billion financial services company and has been eyeing up ways of breaking into more services targeting younger people.

The gap in the market that Koho is targeting in Canada (and later in Latin America and Southeast Asia) is specific.

As explained to me by VP of marketing Spencer Chen — who took up his role recently, after he left a VP role at Alibaba when he relocated from Silicon Valley to Vancouver — Canada is admittedly a tiny market, only 35 million people, “About the size of California!” he exclaimed over Facetime. But it’s also home to some of the highest banking fees per capita in the world: last year, totalling some $130 billion. “There is no innovation coming from the bottom,” Chen said.

At the same time, while there have been a number of innovative financial startups established south of the border in the U.S. and further afield in Europe, Canada’s disruption has been relatively thin on the ground. Chen tells me that services that it’s looking to emulate and offer all in a one-stop shop include Mint, Venmo, PayPal, Acorns and Digit — several of which do not exist in that country.

That’s where Koho is hoping to make a mark. It brings in several smart financial services like an account that lets you deposit money and track what you are spending from it in real time, by transaction as well as by categories; and it also lets you create and track savings budgets for buying big-ticket items. While you cannot write paper checks (yet) you can deposit money into your account to transfer money to friends or businesses electronically.

And, perhaps most enticingly for consumers, the service is planning to start out, and remain, free for life. The hope is that by targeting younger users who go out a lot and like to spend money, those consumers will opt for a service where they have no fees to pay, and will use their Koho payment cards to buy lots of things. It’s from those cards that Koho will make a commission each time an item is purchased.

(And in turn, both the Peoples Trust and Visa also hope that by targeting younger users, they will also see greater returns by way of overall spending, which is why they are happy to cut Koho in on their transaction commissions.)

Up to now the company has only been in a closed beta, where it has picked up some interesting stats that bear out some of its theories on how people under the age of 30 spend their money.

In that period, more than $1.3 million was processed from just 1,051 beta users, and users typically were opting to put about one-third to half of their paychecks into their Koho accounts every two weeks. Those users were also logging in and using their accounts on average eight times per month (compared to around once per month for most banking apps in Canada).

It’s not clear how much business Koho will have to generate in order to break even on this model. But with Canada’s top five banks controlling 90 percent of the market and making $128 billion in combined revenue and close to $40 billion in profit, you can see both the financial opportunity, as well as the competitive one to try to shake things up.

Sign up now for 2-for-1 tickets to TechCrunch Disrupt Berlin, released April 5

Disrupt Berlin 2017 doesn’t take place until December, but if you’re looking to attend the best startup show in Europe for the lowest possible price, an important deadline is fast approaching.

We’ll be releasing a limited number of tickets to Disrupt Berlin on Wednesday, April 5 and the special price of two for the price of one. By signing up now, you can use this extra ticket to bring a colleague, friend or whoever else you might want to share a fun-packed couple of days with at Disrupt.

To sign up, all you need to do is enter your email address here. On April 5, you’ll receive an email with a link to purchase these deeply discounted tickets. You’ll definitely want to act quickly, however, as there are only 50 pairs of tickets available, and if history is any indication, they’re going to run out quickly.

Disrupt attendees get to check out fireside chats with some of the most brilliant minds in the business. In the Startup Battlefield and the Startup Alley, they’ll be introduced to some pretty awesome international startups across many verticals.

Plus, if you are part of a startup, multiple members of the media will be in attendance as well, making Disrupt a perfect storm to get your budding startup in front of the eyes and ears that can help take your company to the next level.

Disrupt Berlin 2017 takes place December 4-5 at the beautiful, historical Arena Berlin in the heart of Berlin, Germany. We can’t wait to see you all there!

A new, affordable naming startup for startups

A few years ago, I launched a daily email newsletter, and I was ecstatic to be striking out on my own for the first time. Alas, just a few weeks after filing to secure a trademark,  an officious-sounding note appeared in my inbox, and soon after, I found myself shelling out $10,000 in lawyer’s fees over a short-lived trademark dispute. It wasn’t nearly as painful as it might have been, but it was a rude realization that figuring out the right brand can be both time consuming and have implications that founders might not foresee.

Of course, my experience is hardly rare. Most founders are typically left to either conduct trademark searches on their own via the USPTO site, or else pay top dollar for law firms or branding agencies to do it for them. Often they do both.

Thankfully, thoroughly and affordably eliminating risky name choices is exactly the opportunity that a two-year-old, Bay Area company, Naming Matters, is chasing, and the company’s founder is very familiar with the market. S.B. Master previously cofounded Master-McNeil, a 29-year-old corporate naming and branding firm in Berkeley, Ca., whose past clients include Apple, General Motors, Disney, and PayPal.

Now Master sees an opportunity to cater not just to deep-pocketed corporate customers but also startups on shoestring budgets. Indeed, 18 months ago, she decided to take everything she has learned over the years about linguistic analysis, trademark searching, and domain name acquisition and pour it into a self-service software product that also incorporates search and data visualization. I talked with her earlier today to learn more.

TC: You’ve already run a naming company for decades. Why start this new thing?

SM: Naming is hard, and we tend to work with companies that can afford us to do deep preliminary availability screening. I grew frustrated with how slow and antiquated that searching step is [for companies that can’t afford such a service]. I mean, if you have 100 names, how do you figure out which are most likely to get you into trouble, and which are your stronger candidates that you should focus on? There are legacy providers, but their model is to charge users for every name they look up. If you’re looking for a name in every country and every class, it adds up. You have to be very skilled to [keep your costs down].

TC: So the idea is to pay less to your friendly trademark attorney.

SM: The idea is that instead of this being some super expensive cottage industry, that anyone, anywhere — whether founders or innovators in companies or paralegals in law firms or companies under pressure to do more faster and with less — can use this tool in an unlimited way.

TC: How big a problem — or opportunity — is this?

SM: About 5 million trademarks are registered worldwide each year, and to get to a name that you’re willing to spend the money [on] to file a trademark application, you’ve probably looked at 50 to 100 names. That means people are looking up something like 500 million names a year. That’s a lot of time and effort, and it still often doesn’t answer the question of whether it’s worth it.

We’ve been told by big law firms that to look at one name, a paralegal is going to spend three hours, and they cost $300 an hour. So, there’s $1,000 right there.

TC: Why is this the killer solution?

SM: There are so many engineers and creative people who have no knowledge of trademarks or how they should work, and by merely looking at the visualization (that we produce for users), where the bigger the dot is to the name you’ve chosen, or the more crowded, the more [risky] the brand — it just offers incredible cost and time savings by being able to visualize this data.

TC: Are you scanning trademarks globally or just in the U.S.? And how much are you charging?

SM: We’re still working on pricing, but we offer a day pass for less than $50 which provides users with unlimited use to search U.S. filings. We also have a standard product that offers unlimited use on a monthly basis; one seat is $100 per month . . . and the service can be stopped at any time.

And we’re working on a pro product that’s much more feature rich and that will be a bit more expensive and will include multiple data sets, not just U.S [data].

TC: Don’t companies need to worry about competition globally from the outset?

SM: Absolutely. Any business that puts itself online is intrinsically international. So even though you may not plan to do business in Germany or the U.K. or Japan, knowing what’s out there and who could come after you – without hiring an attorney in Tokyo – [is key]. You’ll be able to see if there’s something there that you should be aware of.

TC: Is there no global database that exists as of today?

SM: You can find a newish database online that’s sponsored by the EU. But unless you’re a very skilled operator, it’s [hard to navigate]. It’s almost like doing a Google search, where you’re getting inundated with large amounts of irrelevant hits, or you have to have a lot of knowledge to know if you should care. Nothing is sorted; you can’t see how much of a threat other trademarks are. What we can do with our algorithm is rate and rank and visualize everything, so you can see those that look like the most serious threats.

You can also see who else is out there in your space with similar names and get new ideas yourself for names that are different and probably smarter in the context of knowing who else is out there. Using this as a creativity tool wasn’t something we anticipated, but once people see what’s out there, it prompts more creativity on their part to think up more unique names.

TC: Can you talk about who some of your clients are?

SM:  We have some law firm users. We have a prominent product innovation company. Fifteen companies from the last YC class signed up, too. [President] Sam [Altman] loves what we’re doing.

TC: Can I ask how you came up with the brand Naming Matters? I’ve talked with branding agencies in the past that say most early firms in a space use something that literally describes their business, like Facebook. Brands start getting crazier sounding the more crowded a space grows.

SM: It’s a pun. Naming does matter, but also, if you’re a lawyer, you call a legal topic a matter. What do you think? [Laughs.] We’re supposed to be good at this!

Google is the latest company to brush off most of the Wikileaks vulnerabilities

Wikileaks dumped thousands of alleged CIA documents online yesterday that contained lists of vulnerabilities in popular tech products, sending companies scrambling to make sure their security patches were up-to-date. But as companies reviewed the documents, it became clear that most of the vulnerabilities they contained were outdated.

Apple first dismissed the majority of the listed iPhone vulnerabilities in a statement last night, and now Google and other firms are following suit.

“As we’ve reviewed the documents, we’re confident that security updates and protections in both Chrome and Android already shield users from many of these alleged vulnerabilities. Our analysis is ongoing and we will implement any further necessary protections. We’ve always made security a top priority and we continue to invest in our defenses,” Google’s director of information security and privacy Heather Adkins said in a statement.

Finding flaws in iPhones and Android devices was important to the CIA’s mission of surveilling targets because the security problems could allow the agency to eavesdrop on users’ communications.

It’s important to note that, although Google and Apple both say that most of the vulnerabilities are fixed, that doesn’t mean all of them are. Users concerned about the security of their devices need to make sure they’re updating to the latest software to get all of the security patches.

The Wikileaks disclosure has reignited a debate over whether U.S. intelligence agencies should disclose software vulnerabilities to companies so they can be fixed, or hoard them so they can be used for spying.

Mozilla’s chief legal and business officer Denelle Dixon highlighted the importance of disclosure in conversation with the New York Times. “The C.I.A. seems to be stockpiling vulnerabilities, and WikiLeaks seems to be using that trove for shock value rather than coordinating disclosure to the affected companies to give them a chance to fix it and protect users,” Dixon said. “Although today’s disclosures are jarring, we hope this raises awareness of the severity of these issues and the urgency of collaborating on reforms.”

 Many tech industry advocates believe that the government has a responsibility to protect American businesses and consumers by notifying companies of security flaws, rather than keeping them secret and exploiting them. The Obama administration pushed a vulnerabilities equity process to help government agencies determine when to disclose vulnerabilities to companies, but the Wikileaks documents raise questions about whether the VEP is effective.

“The White House vulnerabilities equities process spells out what the government should be doing when it comes into possession of 0-days,” Alex Rice, chief technology officer of HackerOne, told TechCrunch. “It’s unclear if it’s been honored properly in this case. Were these vulnerabilities handled in the way outlined by the previous administration? And if not, what do we do about that? Was the process illegitimate to begin with? It’s restarting a conversation we thought we had a clear answer to.”

Rice, who worked on Facebook’s security team before helping launch the bug bounty platform HackerOne, said the vulnerabilities Wikileaks reported in Samsung smart TVs had a personal impact on him: Wikileaks claimed the CIA spied on targets through their TVs, and Rice has a Samsung TV facing his bed. “I’m not worried about the CIA eavesdropping on my television. If the CIA is going to conduct espionage on me, they have more than enough means to do so. What I am concerned about, if the U.S. government knows I have vulnerable tech in my bedroom, that has direct implications to my privacy. That’s something I should know about as a taxpayer,” Rice explained.

After all, if the CIA discovers a security vulnerability in a popular product, it’s only a matter of time before hackers or other nations’ spy agencies find it too. The CIA knew it had been breached late last year, according to a Reuters report, which calls into question why Apple, Google, Samsung and others weren’t alerted sooner.

“Eventually these vulnerabilities are not going to be secret any longer,” Rice said. “How are we going to minimize the damage when that happens? This leak is proof of that. We are all at a disadvantage if Wikileaks has access to a 0-day in iPhone, Android, or Samsung TV.”

How hackers turned a Cape Cod fishing guide’s site into a host for e-commerce fraud

Cape Cod fishing guide Eric Stapelfeld trusted me to look after his website the same way that I trust him to find fish. Until a few weeks ago, I believed I had the easier part of the bargain. After all, what’s hard about maintaining a simple WordPress site with a phone number and lots of striped bass pictures? As it turns out, everything is hard, really hard, when hackers go to work on a vulnerable site — even a simple one. And no fish ever put up a fight like the malware that took over Eric’s site.

Eric Stapelfeld, the fishing guide

The story began last fall, when Eric called me in San Francisco to report that  “some guy” had called to complain about fraud on his site.

“Yeah, like the guy said somebody is running a business inside the website and ripped him off. Said he knows it’s not my fault but I should know about it.”

Eric doesn’t sell anything on his site. It consists of posts about fishing and a phone number to book trips. No hacker would bother with a site like that, right?

“Hey forget about it,” I told Eric. “There’s no way your site could rip anyone off. I have no idea what the guy is talking about.”

That was more true than I realized. Three months later, I got another call from Eric. “Hey, Google is fucking with my site,” he said. “My friends are calling me and saying something is wrong.”

As soon as I typed in www.hairballcharters.com, Google dropped a screaming red screen warning that read: “The site ahead contains malware. Attackers currently on www.hairballcharters.com might attempt to install dangerous program on your Mac that steal or delete information (for example, photos, passwords, messages,  and credit cards).”

“Oh crap,” I thought. Maybe there was something more to that guy who called Eric.

My first move was to call customer service at Deluxe Hosting, where the site is hosted, and get them to open a ticket. After a few email exchanges, I realized that they were unlikely to sort out the problem. They found malware and said they deleted some of it, but Google was still showing a warning. After a few exchanges, Deluxe stopped responding.

Next I got in touch with Jennifer Zelazny, the WordPress developer who set up the site and had worked on it from time to time. She agreed to dive in.

What she found was nasty. Hackers had accessed the site either directly through WordPress or through a plug-in on the site. She found at least 20 suspicious WordPress core files. There were also non-core files on the site with file names like “list.php” and “apis.php,” which to an average user might not have raised any red flags. Their names looked typical, but the time stamps were all recent — since July 2016 — and upon further inspection revealed redirects to other sites. She deleted the files, reset passwords, updated the secret keys in the wp-config, cleaned up other valid files with malicious code and then ran scans with Exploit Scanner and Sucuri SiteCheck scanner to ensure she found every bit of malware.

Jennifer asked me if I had a Google Webmaster account so we could request that Google scan the site and give it a clean bill of health. I had not claimed the site before, so I went through the steps. Google provided a code snippet to drop into the site’s markup as a means to authenticate that I was in fact the owner of the site. Jennifer followed up; not long afterwards, Google admitted me to the account.

To my horror, there were already two other email addresses listed as owners of the site. They were really sketchy email addresses, like ones you’d make up if you were up to no good.

I looked around in the Google webmaster account and saw that the hackers had filed 47 sitemaps and submitted 565,192 web pages, of which 229,837 had been indexed by Google.


In case you’re wondering, Eric’s site has 130 web pages, most of which feature a picture of an impressive striped bass caught off Falmouth on Cape Cod.

It appears that the hackers were using the malware to insert links in Eric’s site and using the site map to create some kind of dynamic set of redirects. But that’s just a guess, and there may be a better explanation.

Neither of us was crazy about following the links. The hacker had created more than 47 separate sitemaps using links/redirects from the site — all averaging 70,000 lines of code each (that’s a lot of URLs!) The URLs all looked similar in their format:

And this example of the result on a Google search results page — needless to say, Hairball Charters does not have any business extensions in Japan:

By looking at this cached page, it’s pretty easy to imagine what was happening. In this case, the hackers had set up an e-commerce site targeted at Japanese consumers.

Google’s tools made it easy to kick the invaders out of the account. Google shows the tag associated with each registered account for the site, so I passed those to Jennifer, who deleted them from the mark-up. In an instant, the hackers’ access was gone. Then I gave Jennifer access to the account and she deleted all the fake sitemaps. Jennifer told me that she had worked on a lot of compromised sites, but this was the first time she had seen hackers take over the Google webmaster account in order to manipulate the sitemaps.

Jennifer updated the security patches for WordPress and all the plug-ins and implemented steps to make sure updates take place automatically in the future. We also set up two-factor authentication to access the site.

I always knew that it was important to keep patches up-to-date, but until now I did not know why an out-of-date site was so vulnerable. Jennifer explained that every time WordPress or any developer with an important WordPress plug-in becomes aware of a vulnerability, they usually document the vulnerability at the same time that they issue the security patch. (Here is a WordPress example and a Sucuri example.)  Once that documentation goes public, hackers immediately scan WordPress sites to find exploits. Get there late and you get nailed. Sorry to say, that was Hairballcharters.com.

Avoiding situations like Hairball’s is a lot more simple than dealing with the aftermath of a hack. Here is Jennifer’s five-step program to good security on a WordPress site.

Step one: Stay up-to-date with WordPress core upgrades. This is beyond simple: Insert one line of code — define( ‘WP_AUTO_UPDATE_CORE’, minor ) — in the wp-config.php file and your site will always auto update. (Here is the documentation.)

Step two: Keep your WordPress plug-ins up-to-date. The Jetpack plugin makes this straightforward; just use the Jetpack Manage option to select the plug-ins you want updated as soon as patches become available.

Step three: To make your site extra secure, consider the plug-in Sucuri Security: Auditing, Malware Scanner and Security Hardening, which allows you to do exactly what the name suggests. You can enable auditing to send immediate notifications if any files are modified, plug-ins are enabled/disabled and much more.

Step four: Install two-factor authentication for access to your WordPress site.

Step five: Claim your site in the Google Webmaster tool and check in from time to time to make sure your site has no content or sitemap errors — or stealthy invaders populating sketchy sitemaps.

As for HairballCharters.com, the site is back in good order and Eric is happy that Google’s big red screen is now gone. If you happen to be out Cape Cod way this summer, he would love to take you fishing and trash-talk two of his favorite topics: my fishing and my security smarts.

Uber’s VP of product and growth has left the company

Ed Baker, Uber’s VP of product and growth, has resigned from Uber, Recode first reported. Uber declined to comment on the story but TechCrunch has confirmed that Baker has left the company, and that Daniel Graf, Uber’s head of marketplace, will be the interim head of product and marketplace.

“I have always wanted to apply my experience in technology and growth to the public sector,” Baker wrote in an email to employees, obtained by Recode. “And now seems like the right moment to get involved.”

That’s an interesting rationale given that the last couple of weeks have been something else for Uber, between allegations of sexual harassment, sexism, Amit Singhal resigning as SVP and reports of some sketchy software to sidestep law enforcement. Baker formerly worked at Facebook, where he was head of international growth.