For a decade, some security professionals have held out extended validation certificates as an innovation in website authentication because they require the person applying for the credential to undergo legal vetting. That’s a step up from less stringent domain validation that requires applicants to merely demonstrate control over the site’s Internet name. Now, a researcher has shown how EV certificates can be used to trick people into trusting scam sites, particularly when targets are using Apple’s Safari browser.
Researcher Ian Carroll filed the necessary paperwork to incorporate a business called Stripe Inc. He then used the legal entity to apply for an EV certificate to authenticate the Web page https://stripe.ian.sh/. When viewed in the address bar, the page looks eerily similar to https://stripe.com/, the online payments service that also authenticates itself using an EV certificate issued to Stripe Inc.
The demonstration is concerning because many security professionals counsel end users to look for EV certificates when trying to tell if a site such as https://www.paypal.com is an authentic Web property rather than a fly-by-night look-alike page that’s out to steal passwords. But as Carroll’s page shows, EV certs can also be used to trick end users into thinking a page has connections to a trusted service or business when in fact no such connection exists. The false impression can be especially convincing when end users use Apple’s Safari browser because it often strips out the domain name in the address bar, leaving only the name of the legal entity that obtained the EV certificate.
“With enough mouse clicks, you may be able to open a system certificate viewer or get your browser to show you the city and state,” Carroll wrote. “But neither of these are helpful to a typical user, and they will likely just blindly trust the bright green indicator.”
Carroll’s demonstration comes three months after researcher James Burton exposed a different way EV certificates can be used to trick end users. He established a business named “Identity Verified” and showed how the resulting EV certificate might be used to add the air of authenticity a scam site. Both Carroll and Burton said little effort was necessary to create the legal entities. Carroll said the demo cost $177: $100 in incorporation expenses and $77 for the certificate.
The demonstrations are generating productive discussions among developers about the way EV certificates should be treated in browser user interfaces. Security professionals are also openly discussing whether certificate rules should be modified to prevent these types of cases.
For the time being, people should remember that EV certificates aren’t automatically a panacea for online fraud. In some cases, certificates could make an otherwise obvious scam site seem legitimate. When in doubt, end users should carefully inspect the certificate and ensure it was issued to the operator of the trusted site.
Nvidia Corporation (NASDAQ:NVDA) stock continues to soar. On Friday, NVDA’s stock price cleared $200 for the first time. Nvidia shares have nearly doubled just since early May, adding roughly $57 billion in market cap in the process. With NVDA earnings on tap for next week, there’s the potential for more gains.
Some level of optimism makes sense. Nvidia’s opportunities in gaming and automotive suggest years of revenue and profit growth. Last month, James Brumley highlighted the company’s edge in artificial intelligence as well. With chip stocks showing significant strength (even long-stagnant Intel Corporation (NASDAQ:INTC) has gotten in on the act of late), NVDA news seems to be nothing but good.
And yet, valuation and competition questions persist, as I argued a few weeks ago. Of course, NVDA has gained more than 10% since that article, as the stock continues to make a fool of anyone who questions it. At some point, however, the bull run has to come to an end, right?
Are NVDA Earnings a Trap?
InvestorPlace columnist Bret Kenwell asked on Thursday if the post-earnings plunge at Advanced Micro Devices, Inc. (NASDAQ:AMD) might suggest a similar pullback for Nvidia stock after NVDA earnings on November 9. It’s a question worth asking.
NVDA did fall 2%+ on Wednesday in sympathy with AMD, which fell double digits after weak guidance for Q4. And there’s some reason to be concerned about Nvidia stock after reviewing the AMD report.
For one, AMD guided for “some leveling off,” as CEO Dr. Lisa Su put it on the Q3 conference call, of cryptocurrency mining demand. That demand has benefited GPU sales for both AMD and Nvidia, a tailwind that might be moderating. Secondly, AMD’s GPU business had a record quarter in Q3, which might suggest that its Radeon cards are taking share from market leader NVDA.
But there was one piece of good news for Nvidia (and AMD) on the Q3 call. Su cited “significantly improved” selling prices for GPUs as a driver of that company’s record sales. That suggests that both the category is growing and that AMD isn’t yet trying to significantly undercut Nvidia on price.
That’s important. One of the most attractive features of Nvidia’s business model is its exceptional margin profile. And one of the key concerns raised by AMD’s improved competitive position in gaming — far and away the most important business for Nvidia, at least at the moment — was of a potential pricing war, or at least pricing pressure. Without that headwind, there’s less reason to see a profit miss for Nvidia in Q3 earnings, and less reason to predict a post-earnings pullback.
How Much More Upside Is Left for Nvidia Stock?
All told, the quick bounce back in NVDA stock on Thursday and Friday makes some sense. But from a long-term standpoint, the valuation here still looks dicey. The Nvidia stock price today suggests a forward multiple of about 48x, even backing out the $6 per share or so in net cash on the balance sheet.
On Election Day in 2016, a meme showed up on Instagram under the Republican Party name, with a picture of Barack Obama and Hillary Clinton photoshopped into a garbage truck and Donald Trump giving a thumbs-up.
Under the party’s elephant mascot, the picture read, “Trash Pickup – November 9, 2016,” while the caption said, “Time to take out the trash America!” The garbage meme went out to more than 270,000 followers and received more than 29,000 likes.
The GOP never commented on the picture. In fact, it’s never commented on any of the 800-plus often-controversial posts that @RepublicanParty has made on Instagram because it’s not an official account. The Republican National Committee uses the handle @GOP on Instagram.
But here’s the kicker: @RepublicanParty boasts 448,000 followers — more than quadruple the 105,000 people following the verified GOP account. That’s worrisome, considering the content shared on @RepublicanParty and the likelihood some people mistakenly believe it’s legit.
The popularity of the namesake account is just the latest reminder that you can’t believe everything you see on social media. Facebook, Twitter and Google are doing battle against fake news. Congress is looking into an active Russian trolling campaign on social media, through which Facebook took in $100,000 worth of ads while Twitter found 201 accounts tied to spreading propaganda.
Now you have to double-check that the account you’re looking at is actually on the up-and-up.
Instagram declined to comment, saying it doesn’t speak about individual accounts.
The GOP declined to comment on @RepublicanParty, but a person familiar within the organization noted the complexities of removing such accounts.
“Their stringent rules about what constitutes an impersonation often make the process of getting a page removed difficult,” the person said.
This isn’t the first time the GOP has been effectively copied.
There was TEN_GOP, a Russia-linked Twitter account that pretended to be the Tennessee Republican party. It amassed about 136,000 followers for nearly a year before Twitter suspended it. The actual Tennessee GOP said it had reported the account three times to Twitter, but the company didn’t take action until 11 months later.
Despite not having a verification checkmark, TEN_GOP managed to trick high-profile individuals on Twitter, from Nicki Minaj to Ann Coulter.
Twitter declined to comment on individual accounts.
Now, on Instagram, the GOP has a similar problem with @RepublicanParty.
The account manages to stay active on Instagram because it doesn’t quite pretend to be the GOP. When you land on the page, it becomes pretty obvious the account is a promotional tool for Greater Half, a pro-Trump merchandise shop based in Bowling Green, Kentucky.
Underneath the name and logo is the label “Personal Blog.” By contrast, the @GOP account has the checkmark indicating a verified account and is labeled “Political Party.”
Chris Benson, vice president at Greater Half, said he’s operated the @RepublicanParty handle for over a year, without intending to pose as the GOP. He also doesn’t plan to give it up, pointing out the value of having a name associated with the political party.
“We capitalized on an Instagram handle that we knew would help our business,” Benson said. “If I could own @HomeDepot, I would own it.”
Despite the labeling, the @RepublicanParty account boasts far more activity than the GOP one. From the period between October 2015 and July of this year, it saw roughly 8.5 million interactions, according to Jonathan Albright, a research director at Columbia University’s Tow Center for Digital Journalism.
“There’s no reason a random rip-off of the Republican Party should have 8.5 million likes and the GOP only has 415,000,” Albright said. “That’s crazy.”
Using Facebook’s social analytics tool CrowdTangle, he found that the GOP had about 19,000 interactions a month during that period. The @RepublicanParty account had nearly 20 times as many likes and comments with 374,000 monthly interactions.
And none of these are interactions for posts aligned with the GOP’s views. On Nov. 16, 2016, @RepublicanParty posted a meme making light of a protester being run over. The account also spread fake news about the date for Election Day, similar to an online hoax to suppress voters.
There are divisive posts on immigrants, Hillary Clinton and Black Lives Matter protests. In the last example, several people left comments as if the post were actually from the Republican party.
“When you constantly wonder why people think your party promotes racism,” one commenter wrote.
Game of clones
Despite its misinformation, @RepublicanParty continues to grow much faster than @GOP on Instagram. It gains nearly 10,000 followers every month, while the GOP account grows by about 4,000 followers a month, according to SocialBlade.
And the real GOP can’t do a thing about it.
Instagram’s community guidelines on Impersonation Accounts say the service takes “safety seriously” on hoax accounts for individuals, but for brands, like the GOP, there’s a higher threshold.
“Using another’s trademark in a way that has nothing to do with the product or service for which the trademark was granted is not a violation of Instagram’s trademark policy,” the social network says on its Help Center.
So even though @RepublicanParty uses the GOP’s logo and name, because it’s not actively pretending to be the political organization, it lives to see another day.
The Democratic Party has its share of imitators on Instagram as well, but none matches the reach of the official account.
@RepublicanParty has become so influential that it’s the first result when you search “Republican Instagram” on Google, and the second result for “GOP Instagram.”
Albright first discovered @RepublicanParty while tracking a network of Russia-linked Instagram accounts, but there’s no evidence that it’s tied to the country.
He was following merchandise Instagram accounts tied to Being Patriotic, a Facebook group run by a Russian troll farm first discovered by The Daily Beast. All the merchandise shops reference each other in their posts, creating an echo chamber similar to how botnets on Twitter work. The @RepublicanParty account had been mentioned in several posts, Albright said.
“It’s a suspicious account, and it’s in that extended network,” he said. “It pushes the same types of themes and messages that the other ones do. But it’s hard to pull out the ones that would be foreign and the ones that are domestic.”
Benson denied any ties to Russia.
Lacking controversial memes, the Greater Half Instagram account has 30,000 followers, less than one-tenth of the @RepublicanParty account.
A service address for Greater Half was listed in Tempe, Arizona, at the same location as Mousegraphics, a family-owned printing service.
Brian Perkinson, owner of the printing shop, said Mousegraphics serves as Greater Half’s warehouse, but he’s not familiar with the company.
“We don’t communicate with them that much,” Perkinson said. “The orders come in, we ship them, we invoice them and they pay us. I think we got their work from a cold call through Instagram.”
Originally published Oct. 27 at 5:00 a.m. PT. Update at 9:05 a.m. PT:Added comments from Greater Half’s Chris Benson.
Batteries Not Included:The CNET team shares experiences that remind us why tech stuff is cool.
CNET Magazine: Check out a sampling of the stories you’ll find in CNET’s newsstand edition.
According to a new report from KGI Securities analyst Ming-Chi Kuo, Apple is still facing supply chain constraints for the upcoming iPhone X. The company will have around 2 to 3 million units before the launch on November 3rd, which shouldn’t be enough to meet demand.
While Apple didn’t disclose exact numbers for first-weekend sales last year, the company sold 13 million iPhone 6s units during the first weekend, 10 million iPhone 6 units and 9 million iPhone 5s/5c units. The iPhone 8 is already available, which could mitigate demand for the iPhone X, but it sounds like many buyers will be disappointed by Apple’s initial stock.
In many ways, the iPhone X packs more innovative components than your average new iPhone. Apple usually adds cutting-edge components when its suppliers can produce tens of millions of them. But multiple parts of the iPhone X are generating supply chain issues.
According to KGI Securities, Apple now uses a flexible printed circuit board for the antenna. This is not your average circuit board, so Apple has had issues finding suppliers that can produce those components at scale. Murata was supposed to be the main supplier for this part, but it sounds like the company can’t meet Apple’s strong requirements. Since then, Apple has found a new supplier, which created some delays.
On the camera front, Apple is using a different circuit board for each sensor. Other phone makers only use one circuit board. This custom design has also been a challenge.
Finally, the iPhone X features a ton of sensors on the front of the device. Apple has packed a tiny Kinect in the notch of the device. One component in particular projects a network of infrared dots to create a 3D map of your face based on the reflection of those dots. Apple has had issues finding a supplier that can produce enough dot projectors for the iPhone X.
iPhone X pre-orders start on Friday, October 27th at midnight Pacific time. If you plan on getting the new phone, you shouldn’t delay your pre-order. Chances are that shipping estimations are going to slip to multiple weeks after just a few minutes.
Production should ramp up in the coming weeks, but it sounds like it could take months before you can just walk into an Apple store and buy a new iPhone X. It’s going to be interesting to hear Tim Cook’s comments on those supply chain issues when Apple announces its quarterly earnings in a couple of weeks.