Posts Tagged ‘united-kingdom’

This is a guest post by Robert J. Moore, the CEO and co-founder of RJMetrics, an on-demand database analytics and business intelligence startup. His last guest post was an analysis of Twitter user data.

It’s no surprise that Chatroulette is the latest media darling. It has all the elements of a good story: technology, mystery, celebrity, and sex. If you haven’t heard of Chatroulette, this Daily Show segment is a good primer.

We were itching to study Chatroulette in a RJMetrics Dashboard, but no one seemed to have any good data for us to explore. So, we decided compile the data ourselves by leveraging Chatroulette Map, some scrappy programming, and a passionate tech community. We soon had detailed data on 2,883 Chatroulette sessions that tied users to geography, gender, appearance, and more.

Here are a few highlights from our findings:

• About half of all Chatroulette spins connects you with someone from the USA. The next most likely country is France at 15%.
• Of the spins showing a single person, 89% were male and 11% were female.
• You are more likely to encounter a webcam featuring no person at all than one featuring a solo female.
• 8% of spins showed multiple people behind the camera. 1 in 3 females appear as part of such a group. That number is 1 in 12 for males.
• 1 in 8 spins yield something R-rated (or worse)
• You are twice as likely to encounter a sign requesting female nudity than you are to encounter actual female nudity

How We Did It

Thanks to RJMetrics, the analysis was easy. Getting the data, however, was a bit of a challenge. The good news, however, is that a roulette wheel is the statistician’s best friend. The central limit theorem tells us that a large set of random observations allows us to draw high-confidence conclusions about the underlying data set.

We started our process at Chatroulette Map, an awesome new site that plots screenshots from random Chatroulette sessions on a map.

It’s a little-known fact that anyone you chat with on Chatroulette can determine your IP address using a program like Wireshark. Chatroulette Map uses this IP data to geolocate and map random chatters on their website (along with still photos from their chats).

Chatroulette Map is also nice enough to expose all of its data points to anyone who clicks “View Source.” Right in the raw source code of their homepage is the image URL, latitude, longitude, city, state, and country of every chatter on their map. As an added bonus, the file name of each image is a UNIX timestamp of when it was taken. Jackpot. (Note: we tried contacting the creators of Chatroulette Map to participate in this story but did not receive a response.)

Once we had photos, times, and locations, we needed data on what was happening in each chat photo. We coded up a quick webpage that displayed a random photo from the data set and asked some basic multiple-choice questions about that photo. These included questions on age, gender, and what the person in the photo was doing. We coded up the backed so that a photo wouldn’t be taken out of rotation until two votes from different IP addresses provided an identical set of answers.

We posted the link to Hacker News on Saturday night. In under two hours, we received 10,770 photo assessments from 1,012 distinct IP addresses. Every photo received a corroborated profile. We had our data.

Five minutes later, the data was loaded into a hosted dashboard on RJMetrics and returning the results you see below.

Caveats

Before we get to the data, we should point out the uncontrolled inputs that could be skewing these results:

• We know nothing about how Chatroulette matches up chatters, and we act on the assumption that pairings are truly random.
• We know nothing about the methodology used by Chatroulette Map. If they excluded data points for any reason or did not sample randomly, our analysis could be skewed.
• Geolocation by IP address is an imperfect science that is typically only accurate within a few dozen miles. It can also be thrown off by users taking advantage of proxy servers or using other techniques to disguise their IP addresses.
• Human image recognition is imperfect (even if mitigated by our vote convergence system). Any images that were judged incorrectly could skew the results.
• It’s also important to note that statistics about “the average chat session” (which we present here) are not the same as stats about “the average user.” For example, imagine if female chats averaged 100 seconds each, but male chats averaged 10 seconds each. Even if there were equal numbers of male and female users, males would enter the pool more often and would therefore appear in front of you more often, making the “average session” more likely to contain a male chat partner. Because of this, all of our statistics are about the average session and not the average user.

The Results

Gender

As you might expect, you’re most likely to encounter a solo male in any given chat session. 72% of our chat sessions were with solo males. Interestingly, 11% showed no person at all while only 9% showed a solo female. So, if you’re looking for women on Chatroulette, be forewarned: you’re more likely to encounter an empty chair.

Also interesting is the prevalence of groups on Chatroulette. In all, 8% of chats featured a group of people (4% all-male, 2% all-female, and 2% mixed). If you include groups, your chance of encountering a female grows to 13%. However, this means that if you do encounter a female, there is about a 1 in 3 chance that she will be part of a group. In contrast, the chance a male will be part of a group is only about 1 in 12.

Age

This analysis excludes cams where age could not be estimated. As you might expect, most people were young adults (about 70%). About 20% were under 20 and about 10% were 40 and older.

When we combine age with the gender statistics that we tracked above, we learn even more. For example, females tended to be younger than males, with 23% under 20 (vs. 18% for males). Only 3% of females were over 40 (vs. 8% for males).

Groups of females were even younger. Female-only groups were “Teen or Younger” 65% of the time, while groups of males were “Teens or Younger” only 36% of the time. There were no groups whatsoever of people 40 or older.

Location

47% of the Chatroulette participants measured were from the United States. The most popular countries are shown below:

When we combine geography with gender and age, we learn even more:

• Italy had the highest concentration of solo males at 98%. It also had the highest concentration “Men over 40″ at 13% (more than 3x the US rate of 4%).
• The US has the highest concentration of groups at 13%, followed by The Netherlands at 9%.
• Canada had the highest concentration of solo females at 13%, followed by the US at 10%.

Perverts

If you’ve ever used Chatroulette, you probably noticed that not everyone is there just to chat. Some users, which we have affectionately labeled “perverts,” fit into any of these three categories:

• Appear to not be wearing any clothes whatsoever
• Are displaying explicit nudity
• Appear to be committing a lewd act

The overall pervert rate in Chatroulette is 13%. This means about 1 in 8 chat sessions will have something decidedly Rated R (or NC-17) on the other end. Of the perverts that were identified, only 8% were female. Combined with the overall female rate, that means less than 1% of chats feature a female pervert.

Below, we see the “pervert rate” by country:

The United Kingdom dominates the rankings here with a pervert concentration of 22%! Turkey, France, and Germany tie for second place with rates of 15%. Bringing down the global average is the United States, which boasts the lowest pervert concentration of the bunch: 10%.

Also worth mentioning are the users who display signs (like the one below) requesting female nudity.

Signs like this make up between 1% and 2% of all chats. This means that you’re twice as likely to encounter a sign requesting female nudity than you are to encounter actual female nudity.

Validation

In trolling through the thousands of photos collected by Chatroulette Map, I came across this extremely interesting image. It contains a statistical breakdown of what this user saw during his many Chatroulette chat sessions. Sound familiar?

These stats appear to be based on a data set of 1,090 points (pretty impressive for a single user). The numbers are generally in the same ballpark as ours (although we observed a higher pervert rate). We’re not sure who was behind this, but we like their style– they managed to sum up the gist of this blog post in a single image.

Conclusion

Scarcity of the data made this project both challenging and exciting. In an ideal world, it would be great to analyze things like average session length based on different attributes, chat user return rates, cohort analysis, and more. Because of the mostly-anonymous nature of Chatroulette, that data will be hard to come by. For now, at least you have a better idea of what you will see when you hit that Next button.

Guest author Robert J. Moore is the CEO of RJ Metrics, a startup that helps online businesses measure, manage, and monetize better. He was previously a venture capital analyst and currently serves as an advisor to several New York startups. Robert blogs at The Metric System and can be followed on Twitter at @RJMetrics.

Canada isn’t shy about making life difficult for startups, and we’ve had one or two personal brawls with the country as well. But a change in Canadian tax law last week is designed to spur U.S. venture investments in Canadian startups and make Canada less of a leper colony for tech entrepreneurs.

The change allows foreign investors in most Canadian startups to avoid “literally hundreds of pages of documents” to be filed and processed on a sale of a startup, sometimes by each limited partner in a venture fund. That burden meant that most venture firms simply ignored the Canadian market, says Deloitte:

A 2007 survey by Deloitte and Canada’s Venture Capital & Private Equity Association (CVCA) of 528 VCs from around the world found that 40% of U.S. respondents and 28% of global respondents cited Canada’s unfavourable tax environment as a key reason for not investing in Canadian companies. This level of concern is five times higher than for any other country in the survey and reflects the current investment crisis within Canada’s venture capital industry. The survey also found that Canada is attracting the attention of just 11% of U.S. VCs as a primary country for expansion — behind China (34%) and India (24%).

“I predict that over time this farsighted tax legislation will help propel Canada’s extraordinary technology into global industry leadership in numerous markets, and will likely be viewed in the future as a defining moment for the Harper government in Canadian innovation,” says Stephen Hurwitz, a partner at U.S. law firm Choate Hall & Stewart.

That may be a bit optimistic, but the tax change is a nice start. Perhaps over time our frozen neighbors to the north will be known for being great at something more than playing hockey and eating poutine. A robust startups community would be very welcome.

More information:

Change in tax law sends a strong signal to international investors that Canada is “open for business”

Government removes tax barriers and stimulates flow of capital across Canadian border

TORONTO, March 4, 2010 — Canadian companies across the country are likely applauding today’s federal budget, which contains tax law changes that give them the advantage they need to compete on the global stage.

By amending the definition of “taxable Canadian property” to exclude shares of Canadian private companies (where not more than 50% of their value is derived from real property in Canada, Canadian resource property or timber resource property), the government has significantly reduced administrative and, in some cases, economic barriers to foreign investment in Canadian-based innovation and technology. This change puts Canada at the top of the list of places to invest globally.

“The changes in tax legislation announced in today’s budget are among the most significant changes to capital gains taxation since the introduction of taxation of capital gains in 1972,” explains John Ruffolo, Global Tax Technology, Media & Telecommunications Leader, Deloitte. “The Canadian government has listened to the financing community, understood the severity of the problem and removed the major tax barriers that have prevented critically needed international investment capital from crossing our borders.”

“At a minimal cost to the government, this amendment will have an immediate, positive and direct impact on Canada’s ability to grow a robust Canadian technology industry,” explains Terry Matthews, Chairman, Wesley Clover. “By sending a clear message to international investors that Canada is “open for business”, the government will make Canadian companies more attractive to foreign investors overnight. This will help Canadian companies raise the capital they need to achieve global leadership status.”

The change means a much more welcoming environment for foreign investors. In the vast majority of cases, non-residents who were not taxable on the disposition of their investments in such shares due to Canada’s broad international tax treaty network, are now exempt from tax under Canadian domestic law without having to apply for treaty relief. As a result, they are no longer required to comply with the Section 116 tax clearance certificate procedure or file a Canadian income tax return. The changes also remove what were perceived to be insurmountable barriers for many venture capitalists who considered the previous administrative requirements and economic delays for each investor to be strong deterrents to investing in Canada.

“The removal of the Section 116 tax barrier is a tax master stroke by the Canadian government enabling Canada’s emerging technology companies to access deep pools of international capital and the vast global customer markets to which those pools are connected,” notes Stephen Hurwitz, Partner, Choate Hall & Stewart LLP in Boston. “I predict that over time this farsighted tax legislation will help propel Canada’s extraordinary technology into global industry leadership in numerous markets, and will likely be viewed in the future as a defining moment for the Harper government in Canadian innovation.”

BACKGROUND INFORMATION ON THE SECTION 116 TAX BARRIERS

The following describes the tax barriers that were removed in today’s budget and that are no longer preventing international investment in Canada:

• Withholding and Section 116 certificate process — The overwhelming majority of foreign VCs are not subject to Canadian tax when they sell an investment, but face a delay of many months to work through the Section 116 tax clearance process until funds can freely flow to them. Many foreign VCs are structured such that each of the investors in the VC — sometimes hundreds or even thousands — is subject to this clearance process as if they held the investment directly. This delay results in lower returns and frequently causes direct financial loss to investors. Canadians who invest in the United States, the United Kingdom and other major global markets do not face such taxes or delays from red tape.

• Requirement to file Canadian tax returns by foreigners who don’t owe taxes creates hundreds of pages of unnecessary paperwork — Canada imposed tax filing requirements in circumstances where no taxes were payable by these investors. When a foreign VC sells an investment, each investor of the foreign VC has to file a Canadian tax return even if they don’t owe any taxes. This results in literally hundreds of pages of documents that are required for signature and processing for a single sale. This tax return filing issue also applies to certain Canadian public companies.

Why Canada was perceived by VCs as having an unfavourable tax environment
A 2007 survey by Deloitte and Canada’s Venture Capital & Private Equity Association (CVCA) of 528 VCs from around the world found that 40% of U.S. respondents and 28% of global respondents cited Canada’s unfavourable tax environment as a key reason for not investing in Canadian companies. This level of concern is five times higher than for any other country in the survey and reflects the current investment crisis within Canada’s venture capital industry. The survey also found that Canada is attracting the attention of just 11% of U.S. VCs as a primary country for expansion — behind China (34%) and India (24%).

About Deloitte Canada’s tax practice
With the largest tax practice in the country (over 1,500 professionals in 44 offices), Deloitte offers a full suite of tax services to clients in all industries across the country. The market leader in shaping the “future of tax”, Deloitte influences Canadian tax policy with the goal of creating a business climate which propels corporate growth and furthers Canada’s international competitiveness. Known for its industry-leading expertise, Deloitte’s tax practice sets the standard of excellence in Canada and is the only Big Four professional services firm in the country to receive a Tier 1 ranking in the prestigious International Tax Review (ITR)’s “World Tax 2010” report. For further information on Deloitte’s tax practice, visit www.deloitte.ca and for further information on the “future of tax”, visit www.thefutureoftax.ca.

About Deloitte
Deloitte, one of Canada’s leading professional services firms, provides audit, tax, consulting, and financial advisory services through more than 7,700 people in 58 offices. Deloitte operates in Québec as Samson Bélair/Deloitte & Touche s.e.n.c.r.l. Deloitte & Touche LLP, an Ontario Limited Liability Partnership, is the Canadian member firm of Deloitte Touche Tohmatsu. Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its member firms.

App store analytics company Distimo has released its December report on mobile apps, this time zooming in on the physical location of publishers in Google Android Market, and how the prices of their apps compares to those of developers in other countries.

Distimo found that publishers in the Euro zone (Austria, France, Germany, Italy, The Netherlands and Spain) tend to price their applications higher than those in the United Kingdom, the U.S. and Japan.

The average price of an Android app published by a developer in Europe is $4.42, which is 49% higher than publishers located in the United States ($2.96). For comparison, publishers in Japan price apps $2.28 on average, while the UK comes out at an average price of $3.31.

In Android Market, application prices are denoted in the publisher’s home currency, which is how Distimo is able to look at the differences in pricing per region. Looking at the physical location of publishers of paid applications, Distimo found that 65% is in the United States, and 12% in the United Kingdom. This makes sense of course, because those are the countries Android Market arrived first.

The Euro zone accounts for 20% of publishers, and Japan for a mere 3%.

Distimo doesn’t only track Android Market, and in fact has just broadened its analytics services to include Windows Mobile Marketplace and Nokia Ovi Store next to Android Market, BlackBerry App World and the Apple App Store.

Unsurprisingly, Distimo found that applications for BlackBerry and Windows Mobile are generally priced higher. This is likely the result of the fact that more enterprise applications make their way to those devices, and its owner are more keen on spending money for tools that help them to do their jobs more efficiently.

According to Distimo’s report, the average price of applications for Android, iPhone / iPod Touch and in Nokia’s Ovi Store hovers around $3.50. Windows Marketplace for Mobile and BlackBerry App World are clearly more expensive, averaging $6.99 and $8.26, respectively.

Once again, MySpace is partnering with The Wall Street Journal, which are both owned by News Corp, to send one MySpace user to the World Economic Forum in Davos, Switzerland in January. Dubbed the “MySpace Citizen Journalist,” the contest will let one lucky winner, who is chosen by a panel of correspondents, join the Davos press corps.

The winner will have to use the MySpace platform to report on conference news. And MySpace will expand the contestant pool and accept entries from users in the United States and the United Kingdom this year. Details are here. You choose one question to answer and record a video with your response to one of the questions below:

1. Name two issues – one global and one local – in which you’ve been actively engaged over the past year. What have they taught you about your impact in the world?

2. Which country caught your attention most this year? What are the primary issues facing its citizens and how would you resolve them?

3. What pressing global issue has been underreported? Why is the international community neglecting the topic? How would you draw attention to mobilize support?

The citizen journalist will receive an expense paid trip to/from Davos, Switzerland, the ability sit in on private meetings with editors from the Wall Street Journal and News Corp executives and the opportunity to document the experience in written and video blogs on MySpace and the Wall Street Journal online.

Crunch Network: CrunchBase the free database of technology companies, people, and investors

We’ve received multiple tips right around 10 pm that Twitter was hacked and defaced with the message below. The site was offline for a while.

We’re looking into this and awaiting on a response from Twitter.

The message read:

Iranian Cyber Army

THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY

iRANiAN.CYBER.ARMY@GMAIL.COM

U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….

NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST
Take Care.

Update: – We have just found out that the same defacement is appearing at at least one other site, mawjcamp.org. We are not able to see what was at this domain before, but it is now displaying the same defacement that Twitter was only a few minutes ago.

Twitter does not have the best record with security issues. We have previously covered a number of incidents, and as recently as two months ago their web servers were misconfigured to reveal detailed internal network information. We also previously wrote about their admin interface having a password of ‘password’ on one account, and the well-known Twitter doc incident. It was hoped that with the hiring of a new COO, Dick Costolo, as well as a number of other high-level engineers, including security experts, that Twitter had grown out of the phase of being vulnerable to security incidents on such a large scale.

We do not know a lot about the group claiming responsibility for the attack as we haven’t heard their name before and they do not show up in any defacement mirrors or security sites. Similar Iranian groups were active during the election campaign in that country. We have emailed the group (they were kind enough to leave an address on the defacement) for a comment (also added them on Gchat – worth a shot).

Update 2.: Twitter.com is down, status.twitter.com is down. Some tweets are getting through at the moment because parts of the API are up. Search also seems to be working. The Firehose is up – Tweets are coming in from FriendFeed (all those tweets about ‘is twitter down’ are from third-party sites)

Update 3.: It is suggested that if you use the same password on your Twitter account with other accounts, now would be a good time to change your password on those other accounts.

Update 4.: There is a history between Iran and Twitter. It was well noted and covered in the media that Twitter was used as a tool during the Iranian election protests. The US government actually intervened to assure that Twitter was available to the protestors in Tehran and around the country. This attack may be an act of reprisal from groups who were not happy with the role that Twitter played during the protests.

Update 5.: There is speculation at the moment that this may be a DNS redirect, which means that the Twitter.com domain has been redirected to the defacement page. This doesn’t explain why some sub-domains are down, while others are currently still alive (such as search)

Update 6.: Twitter.com is back. The company updated its status blog saying: “Twitter’s DNS records were temporarily compromised but have now been fixed. We are looking into the underlying cause and will update with more information soon.”

Update 7.: Twitter’s Platform Lead engineer Alex Payne has a funnier update on the current status

Update 8.: Google was showing the below briefly when doing a search for Twitter (thanks Chris). The translation from Farsi reads:

“In the name of God, As an Iranian this is a reaction to Twitter’s interference sly which was U.S. authorities ordered in the internal affairs of my country…”

Update 9.: Biz Stone blogged:

As we tweeted a bit ago, Twitter’s DNS records were temporarily compromised tonight but have now been fixed. As some noticed, Twitter.com was redirected for a while but API and platform applications were working. We will update with more information and details once we’ve investigated more fully.

As will we.

Crunch Network: MobileCrunch Mobile Gadgets and Applications, Delivered Daily.

We all know the Mobile web is exploding in popularity. Opera Mini, Opera’s mobile browser, grew its monthly users by 11 percent to nearly 40 million users in October from 32 million users in August. In terms of page views, Opera Mini delivered 17.2 billion last month, a 238 percent annual increase, indicating that mobile web usage is growing fast. Since September’s report, page-views have gone up by nearly 15 percent.

Opera also reported increased data consumption on its mobile browsers, which compresses up to 90% of the data to save network bandwidth, with Mini users generating more than 263 million MB of data for operators worldwide in October 2009, a 16 percent increase in data consumption since September 2009. Since October 2008, data traffic is up 233 percent.

Although these stats are impressive, it’s important to acknowledge the immense popularity of Webkit and Apple’s Safari Browser. But Opera Mini does seem to have a stronghold in Russia, Asia and Europe. The top 10 countries for Opera Mini usage are (in order): Russia, Indonesia, India, China, Ukraine, South Africa, United States, United Kingdom, Poland and Vietnam.

From October 2008 to October 2009, overall page-views in these countries listed increased by 332 percent, but Opera released some interesting statistics about usage in Latin America in this month’s State of the Browser report. Brazil, Mexico and Argentina lead the countries with the most usage in Latin America.

Unsurprisingly, Google and Facebook are doing well in Latin America, according to the report. While Orkut is strong in Brazil and Paraguay, Facebook is slowly chipping away at its stronghold. Hotmail is the most popular e-mail site in Latin America and Auction site MercadoLibre, eBay’s Latin American partner, is drawing large amounts of users in Argentina, Venezuela, Colombia and Peru. And Nokia and Sony Ericsson are by far the most popular handset brands chosen by Opera Mini users in Latin America.

Opera claims that using Opera Mini saves people “billions of dollars every year off their mobile phone bills” because the browser compresses data by up to 90%, which could reduce the amount users pay each month for mobile data. To promote these savings, Opera is launching a new cost savings calculator to let users figure out how much they could save each month. Opera claims that Mini users save a total of $9.4 billion USD per year.

It’s important to take this number with a grain of salt. Opera’s complex calculations look at the top operators in each country, and determine how much they typically charge per MB of browsing, and averaged those figures together. The average cost of browsing in each country is then multiplied by the amount of traffic generated in each country, and the resulting totals are summed and compared to the totals for uncompressed data traffic. The caveat is that Opera’s calculations reflects metered rates (cost per MB) and not flat-rate subscription options, which skews the numbers in their favor.

Crunch Network: CrunchGear drool over the sexiest new gadgets and hardware.

A 15-year old Belgian by the name of Salvatore is the latest victim in a series of mysterious iPhone explosions that have captured the attention of France’s and the European Commissions’ consumer affair watchdogs. Details are scarce for the moment, but according to local news reports the teenager was holding his iPhone in his hand, about to make a call, when the device suddenly ‘imploded’. The incident didn’t cause any serious injuries but reportedly gave Salvatore a headache for a couple of days. He has been promised a free replacement unit by Apple but hasn’t yet received a new phone.

There have earlier been numerous reports of exploding iPhone devices in the United States, United Kingdom and France, with most recently about ten cases having emerged in France where the official competition, consumer affairs and fraud watchdog DGCCRF has now launched an investigation to find out whether the popular Apple smartphone could pose a threat to consumers. Apple, which has sold 26 million iPhones and 200 million iPods to date, said it had been informed of the French cases, but would not comment until it had closely examined the damaged phones.

When I wrote my BusinessWeek column on Zynga a while back, every venture capitalist in the Valley told me that Playdom was the company’s biggest competitor.

After all, it competes game-to-game, with similar mob-style and poker games, and was said to be doing the same revenues as Zynga with much higher profitability. (As my column pointed out, Zynga’s revenues are more like double Playdom’s—and since I’ve heard the discrepancy is even greater.)

As you’d expect Zynga’s CEO Mark Pincus pooh-poohed Playdom as any sort of threat. But tellingly, he said the company he was worried about was UK-based Playfish. So, while I was across the pond, I decided to see what the fuss was about and sat down with Playfish’s founder and CEO Kristian Segerstrale. I came away convinced this was one of the hottest companies to watch in the UK. Here are five reasons why.

1. Not “The UK Zynga.” Playfish is very much running its own race in this market, and this may be a case where distance from the Valley is actually healthy. It doesn’t try to compete on specific games with Playdom, SGN, and Zynga. For instance, it doesn’t have a mob game, the most popular genre right now, and it doesn’t have a poker game, Zynga’s top earner. “That’s such short term thinking,” Segerstrale said. “Something is wrong if your route to success is copying competitors’ games.”

2. Platform Development Doesn’t Have to Mean Half-Ass Development. Playfish is not about building a game in a week or so and throwing it up on Facebook. Playfish spends six months to a year designing a game, and they’ve only produced seven of them. While everyone else talks up how quickly and cheaply you can build a game on social networks, Playfish still employs the same artistic discipline of a console game with a Wii-like look and feel. The plus with platforms like Facebook and the iPhone isn’t speed to market for Playfish, it’s easier distribution and greater social engagement.

3. Traction. The painstaking design process appears to be a hit. Every one of Playfish’s games has been a top ten hit on Facebook. Across all platforms, those seven games have yielded 100 million installs and 30 million monthly uniques, says Segerstrale. Playfish pays “practically nothing” for customer acquisition and makes money through virtual goods, ads and premium versions of games.

Playfish is profitable and hasn’t spent a dime of its recent $17 million funding round. That’s gotta be some top line given Playfish has 200 employees across several offices. In fact, TechCrunch Europe’s Mike Butcher speculated that Playfish could be the $1 million-dollar-a-month Facebook app maker, back in September 2008. It certainly puts the company in an enviable position given the paucity of venture funds in the UK.

4. Proximity to the Valley Insiders via Investors. While Playfish enjoys distance from the one-ups-man-ship or developer poaching of SGN, Playdom and Zynga, it’s connected into the Valley where it counts. One of its main investors is Accel—also one of the main backers of Facebook. Yes, that matters. (See Sequoia Capital-backed Google’s purchase of Sequoia Capital-backed YouTube.)

5. Segerstrale Knows Games. This is the fuzziest one, but also probably the most important. As a CEO, Segerstrale comes to this industry from a different point of view than Pincus. Pincus has said he was never really much of a gamer—Segerstrale on the other hand has loved games since he was three years old playing Pong with his older brother. He always got a visceral rush from playing, especially with other people. So he’s spent much of his career working towards two goals: Decoding what makes a game “fun” and deconstructing the concept of a “gamer” so games are just something everyone plays.

His first attempt was at mobile, thinking that with phones in every pocket, everyone would essentially have a game console. Indeed, the company he cofounded, Glu Mobile, went on to a successful IPO. But gaming was still a niche activity on phones.  There were too many barriers set up by the telcos and it wasn’t as easy for people to find and download games. Facebook turned out to be a much greater platform for this kind of democratization of gaming because users could market games to one another.

Segerstrale’s macro theory is that we’re in the first shift of a move from physical games and goods to digital ones, and from games as a product to games as a service. It’s a theory that seems right-on to me. For one thing, we already saw it with the transition from enterprise software to software as a service. For another, sales of console games are down 20% year-over-year according to NPD, while comScore says social gaming is up 20% year-over-year. It’s nice to see a CEO who can articulate not only a product vision, but a clear industry vision.

All the positives above aside, I’m still not convinced that Segerstrale will succeed in his mission to democratize games. I still mainly use Facebook as a way to connect with friends, not to build virtual restaurants and I don’t necessarily see that changing. In fact, Facebook has so de-emphasized apps in its new all-feed iteration, I spent nearly an hour trying to find a listing of games, before someone finally told me it was on the throw-away bottom bar of the profile page. And by emphasizing the social stickiness of a game, there’s a chicken-and-egg risk that the games are boring for people who don’t have enough friends already playing.

But these are execution risks and every promising startup has them. When it comes to business model, financing, vision and product, Playfish is certainly a formidable competitor to Zynga. With hundreds of millions in real dollars already swarming around social gaming, this will be fun space to watch.

Crunch Network: CrunchGear drool over the sexiest new gadgets and hardware.

The Twitter document leak fiasco started with a simple story that personal accounts of Twitter employees were hacked. Twitter CEO Evan Williams commented on that story, saying that Twitter itself was mostly unaffected. No personal accounts were compromised, and “most of the sensitive information was personal rather than company-related,” he said. The individual behind the attacks, known as Hacker Croll, wasn’t happy with that response. Lots of Twitter corporate information was compromised, and he wanted the world to know about it. So he sent us all of the documents that he obtained, some 310 of them, and the story developed from there.

It’s clear that Twitter was completely unaware of how deeply they were affected as a company - when Williams said that most of the information wasn’t company related he believed it. It wasn’t until later that he realized just how much and what kind of information was taken. It included things like financial projections and executive meeting notes that contained highly confidential information.

We’ve already said a lot about all of this and the related “server password = password” story that was discovered by another individual last week. But we’ve got two more stories to tell. The first, this post, is exactly how the hacks took place, based on information gathered from hours of conversations with Hacker Croll. The second is what was happening behind he scenes with Twitter as the story unfolded. We’ll post that later this week.

When the story first broke the true scope of what had taken place and how it occurred was not understood. Various bloggers speculated about the cause of the attack - with some placing the blame on Google while others blaming the rising trend of hosting documents in the cloud.

We immediately informed Twitter of the information we had in our possession (and forwarded it to them), and at the same time reached out to the attacker. With some convincing, the attacker responsible for the intrusion at Twitter began a dialog with us. I spent days communicating with the attacker in an effort to gain insight into how the attack took place, what the true scope of it was and how we could learn from it.

We’ve waited to post exactly what happened until Twitter had time to close all of these security holes.

Some Background

In the security industry there is a generally accepted philosophy that no system or network is completely secure - a competent attacker with enough time, patience and resources will eventually find a way into a target. Some of the more famous information security breaches have relied on nothing more than elementary issues exploited by an attacker with enough time and patience at hand to see their goal through. A classic example is the case of Gary McKinnon, a self-confessed “bumbling computer nerd” who while usually drunk and high on cannabis would spend days randomly dialing or attempting to login to government servers using default passwords. His efforts lead to the compromise of almost 100 servers within a number of government departments. After McKinnon spent a number of years trawling through servers looking for evidence of alien life (long story), somebody within the government finally wised up to his activities which lead to not only the arrest and attempted extradition of McKinnon from the United Kingdom, but a massive re-evaluation of the security methods employed to protect government information.

A more recent example is the case of Kendall Myers, who after being recruited to work for the Cuban government by an anonymous stranger they met while on holiday in that country, set out to obtain a high ranking position within the State Department specifically to obtain access to US government secrets. Kendall dedicated his entire life to obtaining state secrets, and up until he was recently caught by the FBI had successfully passed on secret information and internal documents to the Cuban government for 30 years. He relied only his memory, his education credentials and sheer dedication.

The Twitter Attack: How The Ecosystem Failed

Like other successful attacks, Hacker Croll used the same combination of patience, sheer determination and somewhat elementary methods to gain access to a frightening number of accounts and services related to Twitter and Twitter employees. The list of services affected either directly, or indirectly, are some of the most popular web applications in use today - Gmail, Google Apps, MobileMe, AT&T, Amazon, Hotmail and iTunes . Taken individually, most of these services have reasonable security precautions against intrusion. But there are huge weaknesses when they are looked at together, as an ecosystem. Like dominoes, once one fell (Gmail was the first to go), the others all tumbled as well. The end result was chaos, and raises important questions about how private corporate and personal information is managed and secured in a time where the trend is towards more data, applications and entire user identities being hosted on the web and ‘in the cloud’.

“Hacker Croll” is a Frenchman in his early 20’s. He currently resides in a European country and first discovered his interest in web security over two years ago. Currently in between jobs, he has made use of the additional time he now has, along with his acquired skillset, to break into both corporate and personal accounts across the web. His knowledge of web security has been attained through a combination of materials available to the public and from within a tight-knit group of fellow crackers who exchange details of new, and sometimes unknown, techniques and vulnerabilities. Despite the significance and impact a successful attack has, the cracker claims that his primary motivation is a combination of curiosity, exploration and an interest in web security. There is almost a voyeuristic tendency amongst these individuals, as they revel in the thought of gaining privileged access to information about the inner lives of individuals and corporations. The ‘high’ of access and gaining unauthorized knowledge must be big enough to carry a crackers motivation through the long hours, days and months of effort it may take to hit the next pot of gold.

For Hacker Croll, his first port of call in setting out to gain access to a target network is to make use of public search engines and public information to build a profile of a company or individual. In the case of the Twitter attacks, this public information allowed him to create a rich catalog of data that included a list of employee names, their associated email addresses and their roles within the company. Information like birth dates, names of pets and other seemingly innocent pieces of data were also found and logged. This dragnet across the millions of pages on the web picked up both work and personal information on each of the names that were discovered. Public information on the web has no concept of, or ability to, distinguish between the work and personal details of a persons identity - so from the perspective of a cracker on a research mission, having both the business and personal aspects of a targets digital life intertwined only serves to provide additional potential entry points.

With his target mapped out, Hacker Croll knew that he likely only needed a single entry point in any one of the business or personal accounts in his list in order to penetrate the network and then spread into other accounts and other parts of the business. This is because the web was designed at a time where there was implicit trust between its participants - requiring no central or formal identification mechanism. In order to keep private data private, modern web applications have built out their own systems and policies that require a user to register and then manage their identities separately with each app. The identifier that most applications use is an email address, and it is this common factor that creates a de facto trust relationship between a users applications. The second factor is a password: a random string that only the user knows, is unique to each application, and in theory should take even a computer months or years to figure out if it started guessing. These two elements would work well enough for most cases, were it not for what is often the single weakest factor: human habit.

Look at the front page of almost any web application and you will see hints at just how hopeless and helpless we are in managing our digital lives: “forgot my password”, “forgot my username”, “keep me logged in”, “do not keep me logged in”, “forgot my name”, “who am i?”. Features that were designed and built as a compromise since we are often unable to remember and recall a single four-digit PIN number, let alone a unique password for every application we ever sign up for. Each new service that a user signs up for creates a management overhead that collapses quickly into a common dirty habit of using simple passwords, everywhere. At that point, the security of that users entire online identity is only as strong as the weakest application they use - which often is to say, very weak.

Now going back to Hacker Croll and his list of Twitter employees and other information. Twitter just happens to be one of a number of a new breed of companies where almost the entire business exists online. Each of these employees, as part of their work, share data with other employees - be it through a feature of a particular application or simply through email. As these users become interwoven, it adds a whole new attack vector whereby the weak point in the chain is no longer just the weakest application - it is the weakest application used by the weakest user. For an attacker such as Hacker Croll looking to exploit the combination of bad user habit, poorly implemented features and users mixing their personal and business data - his chances of success just got exponentially greater. Companies that are heavily web based rely largely on users being able to manage themselves - the odds are not only stacked against Twitter, they are stacked against most companies adopting this model.

Unfortunately for Twitter, Hacker Croll found such a weak point. An employee who has online habits that are probably no different to those of 98% of other web users. It began with the personal Gmail account of this employee. As with most other web applications, the personal edition of Gmail has a password recovery feature that presents a user with a number of challenges to prove their identity so that their password can be reset. It likely wasn’t the first account from a Twitter employee that Hacker Croll had attempted to access - but in the case of this particular account he discovered a kink in the armor that gave him the big first step. On requesting to recover the password, Gmail informed him that an email had been sent to the users secondary email account. In an effort to balance usability with security, Gmail offered a hint as to which account the email to reset the password was being sent to, in case the user required a gentle reminder. In this case the obfuscated pointer to the location of the secondary email account was ******@h******.com. The natural best guess was that the secondary email account was hosted at hotmail.com.

At Hotmail, Hacker Croll again attempted the password recovery procedure - making an educated guess of what the username would be based on what he already knew. This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled. He registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee. The first domino had fallen.

Well designed web applications will never just give a user their password if they forget it, they will force the user to pick a new one. Hacker Croll had access to the account, but with a password he had specified. To not alert the account owner that their account had been compromised, he had to somehow find out what the old Gmail password was and to set it back. He now had a bevy of information at his fingertips, a complete mailbox and control of an email account. It wasn’t long before he found an email that would have looked something like this:

To: Lazy User
From: Super Duper Web Service
Subject: Thank you for signing up to Super Duper Web Service

Dear Lazy User,

Thank you for signing up to Super Duper Web Service. For the benefit of our support department (and anybody else who is reading this), please find your account information below:

username: LazyUser
password: funsticks

To reset your password please follow the link to.. ahh forget it, nobody does this anyway.

Regards,

Super Duper Web Service

Bad human habit #1: Using the same passwords everywhere. We are all guilty of it. Search your own inbox for a password of your own. Hacker Croll reset the password of the Gmail account to the password he found associated with some random web service the user had subscribed to and that send a confirmation with the password in clear text (and he found the same password more than once). He then waited, to check that the user was still able to access their account. Not too long later there was obvious activity in the email account from the account owner - incoming email read, replies sent and new messages drafted. The account owner never would have noticed that a complete stranger was lurking in the background. The second domino falls.

From here it was easy.

Hacker Croll now sifts through the new set of information he has access to - using the emails from this users personal Gmailaccount to further fill in his information map of his target. He extends his access out to all the other services he finds that this user has signed up for. In some instances, the password is again the same - that lead Croll into this users work email account, hosted on Google Apps for Domain. It turns out that this employee (and in fact most/all Twitter employees and everyone else) used the same password for their Google Apps email (the Twitter email account) as he did with his personal Gmail account. With other sites, where the original password may not work - he takes advantage of a feature many sites have implemented to help users recover passwords: the notorious “secret question”.

Fork the story here for a moment because there is a real issue here with “secret question” (from here on abbreviated more appropriately as just “secret ?”). For some strange reason, some sites refer to the “secret ?” as an additional layer of security - when it is often the complete opposite. In the story of Hacker Croll and Twitter, the internal documents that we now all know about were only a few steps away from the first account he gained access to. In addition to that, this attacker, and certainly others just like him, have been able to demonstrate that some of the biggest and most popular applications on the web contain fundamental weaknesses that alone might seem harmless, but in combination with other factors can cause an attacker to completely tear through the accounts of users, even those who maintain good password policy.

This is not the first time that the issue of “secret ?” being used in password recovery systems has been raised. Last September, US Republican Vice Presidential candidate and former governor of Alaska, Sarah Palin, had screenshots of her personal Yahoo mail account published to Wikileaks. A hacker or group known only as ‘Anonymous’ claimed credit for the hack, which was carried out by the attacker making an educated guess in response to the security question used to recover passwords. In early 2005, celebrity Paris Hilton suffered a similar incident when her T-Mobile sidekick account was broken into, and the details of her call log, messages (some with private pictured of Hilton) and contact list were leaked to the media. The culprit, again, was “secret ?”.

Giving the user an option to guess the name of a pet in lieu of actually knowing a password is just dramatically shortening the odds for the attacker. The service is essentially telling the attacker: “we understand that guessing passwords is hard, so let us help you narrow it down from potentially millions of combinations to around a dozen, or even better, if you know how to Google, just one”. The problem is not the concept of having an additional authorization token, such as mothers maiden name, that can be used to authenticate in addition to a password, the problem arises when it is relied on alone, when the answer is stored in the clear in account settings, and when users end up using the same question and answer combination on all of their accounts.

From this point, with a single personal account as a starting point, the intrusion spread like a virus - infecting a number of accounts on a number of different services both inside and outside of Twitter. Once Hacker Croll had access to the employee’s Twitter email account hosted by Google, he was able to download attachments to email that included lots of sensitive information, including more passwords and usernames. He quickly took over the accounts for at least three senior execs, including Evan Williams and Biz Stone. Perusing their email attachments led to lots more sensitive data being downloaded.

He then spidered out and accessed AT&T for phone logs, Amazon for purchasing history, MobileMe for more personal emails and iTunes for full credit card information (iTunes has a security hole that shows credit card information in clear text - we’ve notified Apple but have not heard back, so we won’t publish the still-open exploit now).

Basically, when he was done, Hacker Croll had enough personal and work information on key Twitter executives to make their lives a living hell.

Just to summarize the attack:

1. HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hold in iTunes gave HC access to full credit card information in clear text.
6. Even at this point, Twitter had absolutely no idea they had been compromised.

What could have happened next is that Hacker Croll could have used or sold this information for profit. He didn’t do that, and says he never intended to. All he wanted to do, he says, was to highlight the weaknesses in Twitter’s data security policies and get them and other startups to consider more robust security measures.

He also says he’s sorry for causing Twitter so much trouble. We asked Hacker Croll if he had any message he wants to deliver to Twitter, and he sent me the following:

Je tiens à présenter toutes mes excuses au personnel de Twitter. Je trouve que cette société a beaucoup d’avenir devant elle.

J’ai fait cela dans un but non lucratif. La sécurité est un domaine qui me passionne depuis de longues années et je voudrais en faire mon métier. Dans mon quotidien, il m’arrive d’aider des gens à se prémunir contre les dangers de l’internet. Je leur apprend les règles de base.. Par exemple : Faire attention où on clique, les fichiers que l’on télécharge et ce que l’on tape au clavier. S’assurer que l’ordinateur est équipé d’une protection efficace contre les virus, attaques extérieures, spam, phishing… Mettre à jour le système d’exploitation, les logiciels fréquemment utilisés… Penser à utiliser des mots de passe sans aucune similitude entre eux. Penser à les changer régulièrement… Ne jamais stocker d’informations confidentielles sur l’ordinateur…

J’espère que mes interventions répétées auront permis de montrer à quel point il peut être facile à une personne mal intentionnée d’accéder à des informations sensibles sans trop de connaissances.

Hacker Croll.

This roughly translates to:

I would like to offer my personal apology to Twitter. I think this company has great future ahead of her.

I did not do this to profit from the information. Security is an area that fascinated me for many years and I want to do my job. In my everyday life, I help people to guard against the dangers of the Internet. I learned the basic rules .. For example: Be careful where you click the files that you download and what you type on the keyboard. Ensure that the computer is equipped with effective protection against viruses, external attacks, spam, phishing … Upgrading the operating system, software commonly used … Remember to use passwords without any similarity between them. Remember to change them regularly … Never store confidential information on the computer …

I hope that my intervention will be repeated to show how easy it can be a malicious person access to sensitive information without too much knowledge.

Croll hacker.

What’s the takeaway from all this? Cloud services are convenient and cheap, and can help a company grow more quickly. But security infrastructure is still nascent. And while any single service can be fairly secure, the important thing is that the ecosystem most certainly is not. Combine the fact that so much personal information about individuals is so easily findable on the web with the reality that most people have merged their work and personal identities and you’ve got the seed of a problem. A single Gmail account falls, and soon the security integrity of an entire startup crumbles. So for a start, reset those passwords and don’t use the same passwords for different services. Don’t use password recovery questions that can easily be answered with a simple web search (an easy solution is to answer those questions falsely). And just in general be paranoid about data security. You may be happy you were.

Crunch Network: CrunchBoard because it’s time for you to find a new Job2.0

As the web matures, it’s also getting more complex. Yet much of it is still fundamentally based on things like HTML which are 30 years old. A new startup, FasterWeb, aims to bring these old technologies up to speed — as it were — making the web faster, by optimizing the old standards for doing new things. And in doing so, it claims that it can increase the performance of any site by 2 to 10 times — something which would obviously be a huge leap forward, if it can deliver.

One VC firm, YL Ventures, believes that it can. And they’ve seen it in action, so we’ll just have to take their word for it, for now. We spoke with Yoav Andrew Leitersdorf, managing parter at YL, and he tells us that the different between the regular web versus a site optimized with FasterWeb, is pretty staggering. And that’s why his firm had no hesitation in pouring an undisclosed amount of money into the Israeli-based venture.

So how does FasterWeb claim to work? Leitersdorf wouldn’t go into the details, saying that’s the company’s secret, but he would say that it uses 45 different techniques to optimize the web. He also said that this is done either on the end of the content provider or the ISP. In other words, the end user doesn’t have to do a thing to experience the increase in web speed. And FasterWeb will work across all the major web browsers, starting with Internet Explorer and Firefox immediately, and expanding to the rest, including Opera, Chrome and Safari, when it’s ready for its widespread release next year.

But some sites won’t have to wait until next year to get the speed boost. Over the next several weeks, the first sites optimized with FasterWeb will begin hitting our browsers, Leitersdorf says. He would not say which ones, but notes that some will be known entities in the U.S. and worldwide.

And all of this will work for the mobile web too. “That’s one of the biggest opportunities here,” Leitersdorf says. He went on to note that they’re thinking a lot about mobile ISPs in particular.

Obviously, a two to ten fold increase in speed is a big difference, but Leitersdorf notes that the more complex a page is, the higher the magnitude of optimization will be. This optimization occurs across HTTP, HTML, JavaScript, CSS and images on a page, to achieve the results.

The business model for the project seems sound as well. FasterWeb has a multi-pronged approach depending on the situation of the website or ISP. That means it can either charge a one-time fee, or do a revenue sharing model. “What we found out as a VC fund going into this business is that by selling this to websites, it’s going to increase their revenues. And these sites are willing to spend 20-30% of their increase in revenues on our solution,” Leitersdorf says.

He also notes that in their research, YL only found two companies even come close to doing what these guys are doing. But Leitersdorf declined to name them. Seeing as this is all on the backend, and requires nothing from the consumers, it seems safe to assume this will be significantly better than something like the Google Web Accelerator toolbar.

Naturally, all of this sounds great, but it will be another thing to deliver on a massive scale across much of the web. “We’ve talked to the customers, they’re excited. But FasterWeb wants to make sure they’re ready,” according to Leitersdorf. And that’s why we won’t see wide-scale deployment until next year.

The Israel-based FasterWeb was started by Ofer Gadish, Gil Shai, Ofir Ehrlich and Leonid Fainberg.

Crunch Network: CrunchGear drool over the sexiest new gadgets and hardware.